Malicious actors comparable to Kinsing are making the most of each not too long ago disclosed and older safety flaws in Oracle WebLogic Server to ship cryptocurrency-mining malware.
Cybersecurity firm Pattern Micro stated it discovered the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable working system (OS) security measures comparable to Safety-Enhanced Linux (SELinux), and others.
The operators behind the Kinsing malware have a historical past of scanning for weak servers to co-opt them right into a botnet, together with that of Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134).
The Kinsing actors have additionally been concerned in campaigns towards container environments through misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently unfold the malware to different containers and hosts.
The most recent wave of assaults entails the actor weaponizing CVE-2020-14882 (CVSS rating: 9.8), a two-year-old distant code execution (RCE) bug, towards unpatched servers to grab management of the server and drop malicious payloads.
It is price noting that the vulnerability has been exploited previously by a number of botnets to distribute Monero miners and the Tsunami backdoor on contaminated Linux methods.
Profitable exploitation of the flaw was succeeded by the deployment of a shell script that is accountable for a collection of actions: Eradicating the /var/log/syslog system log, turning off security measures and cloud service brokers from Alibaba and Tencent, and killing competing miner processes.
The shell script then proceeds to obtain the Kinsing malware from a distant server, whereas additionally taking steps to make sure persistence via cron job.
“The profitable exploitation of this vulnerability can result in RCE, which might enable attackers to carry out a plethora of malicious actions on affected methods,” Pattern Micro stated. “This may vary from malware execution […] to theft of important information, and even full management of a compromised machine.”
TeamTNT actors make a comeback with the Kangaroo Assault
The event comes as researchers from Aqua Safety recognized three new assaults linked to a different “vibrant” cryptojacking group known as TeamTNT, which voluntarily shut store in November 2021.
“TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container picture, with a command line to obtain a shell script (okay.sh) to a C2 server,” Aqua Safety researcher Assaf Morag stated.
What’s notable concerning the assault chain is that it seems to be designed to interrupt SECP256K1 encryption, which, if profitable, might give the actor the flexibility to calculate the keys to any cryptocurrency pockets. Put in another way, the concept is to leverage the excessive however unlawful computational energy of its targets to run the ECDLP solver and get the important thing.
Two different assaults mounted by the group entail the exploitation of uncovered Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.
TeamTNT’s concentrating on of Docker REST APIs has been well-documented over the previous 12 months. However in an operational safety blunder noticed by Pattern Micro, credentials related to two of the attacker-controlled DockerHub accounts have been uncovered.
The accounts – alpineos and sandeep078 – are stated to have been used to distribute quite a lot of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.
“The account alpineos was utilized in exploitation makes an attempt on our honeypots 3 times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” Pattern Micro’s Nitesh Surana stated.
“The risk actors have been logged in to their accounts on the DockerHub registry and possibly forgot to sign off.” Alternatively, “the risk actors logged in to their DockerHub account utilizing the credentials of alpineos.”
Pattern Micro stated the malicious alpineos picture had been downloaded greater than 150,000 occasions, including it notified Docker about these accounts.
It is also recommending organizations to configure the uncovered REST API with TLS to mitigate adversary-in-the-middle (AiTM) assaults, in addition to use credential shops and helpers to host person credentials.