Microsoft cybersecurity researchers have revealed that they have detected an increase in the deployment of Kinsing malware (opens in a new tab) on Linux servers.
According to the company report (opens in a new tab), attackers exploit weaknesses in Log4Shell and Atlassian Confluence RCE in exposed and misconfigured container images and PostgreSQL containers to install cryptominers on fragile endpoints.
The Microsoft Protect for Cloud team stated that hackers scan these apps for exploits:
- PHP Unit
- ray of life
- Oracle Web Logic
- WordPress
As for the flaws themselves, they sought to exploit the flaws CVE-XNUMX-XNUMX, CVE-XNUMX-XNUMX and CVE-XNUMX-XNUMX - RCE in Oracle solutions.
"Lately, we identified a widespread Kinsing campaign targeting fragile versions of WebLogic servers," Microsoft said. "The attacks start by scanning a wide range of IP addresses, looking for an open port that matches WebLogic's default port (seven thousand one)."
image update
To stay safe, IT administrators are advised to update their images to the latest versions and only get images from official repositories.
Threat actors love to embed cryptocurrency miners on servers. These remote endpoints are often computationally powerful, allowing hackers to "mine" large amounts of cryptocurrency without requiring the right hardware. In addition to this, they also remove the high electricity costs typically associated with crypto mining.
Victims, on the other hand, have a lot to lose. Your servers will not only become useless (as cryptomining is quite computationally heavy), but they will also result in high electricity bills. Usually, the amount of cryptocurrency mined and electricity spent is inordinate, making the whole ordeal even more painful.
For the Microsoft Protect for Cloud team, the two discovered techniques are "common" in real world attacks against Kubernetes clusters.
“Exposing the cluster to the Internet without proper security measures can make it vulnerable to attacks from external sources. In addition to this, attackers can gain access to the cluster by exploiting known vulnerabilities in the images," the team stated.
“It is essential that security teams are aware of exposed containers and fragile images and try to mitigate the danger before they are hacked. As we've seen in this blog, regularly updating secure images and settings can be a game changer for a company as it seeks to be as protected as possible from security breaches and risky exposures.
Via: BleepingComputer (opens in a new tab)