AquaSecurity: the Kissing miner infects thousands of Docker servers daily

Cybersecurity researchers at Aqua Security have discovered a campaign to distribute a bitcoin miner that infects thousands of Docker servers every day.

In its report
Aqua Security issued a warning about the threat of an attack that “has been going on for several months, and thousands of attempts are made almost daily.” Researchers warn:

“These are the highest numbers we have ever seen, far exceeding the figures of other campaigns we have encountered previously.”

The scale of the Kinsing miner’s distribution indicates that an illegal campaign can hardly be considered “improvisation”, since its operators must rely on significant resources and infrastructure.

Using virus analysis tools, Aqua Security identified the malware as a Golang-based Linux agent known as Kinsing. It is distributed by exploiting a vulnerability in a configuration error in Docker API ports. It starts an Ubuntu container that loads Kinsing, and then tries to spread the malware to other containers and hosts.

The researchers claim that the ultimate goal of the campaign, which is achieved primarily by using an open port, and then by applying a number of evasion tactics, is to deploy a cryptocurrency miner on a hacked host.

The Aqua study provides a detailed view of the components of the malware campaign, which can be considered a Prime example of a “growing threat to cloud environments”. Researchers note that attackers are carrying out increasingly complex and ambitious attacks. In response, enterprise security professionals need to develop a more robust strategy to reduce these new risks.

Aqua suggests that security professionals identify all cloud resources and group them into a logical structure, review their authorization and authentication policies, and configure basic security policies in accordance with the principle of “least privilege”. Specialists should also investigate logs to detect abnormal user actions, and implement cloud security tools to strengthen their strategy.

This is not the first time hackers have tried to exploit vulnerabilities in cloud infrastructures for cryptocurrency mining. In the summer of last year, Skybox Security conducted a study, according to the results of which hackers switched from viruses-miners for ordinary users ‘ PCs to hacking and using cloud services resources.

In March last year, the cybersecurity division of the American telecommunications operator AT&T also reported that the main purpose of hacking cloud servers of various companies was cryptocurrency mining. In addition, at the beginning of 2019, the
new program cryptogamica for mining of monero, which is targeting cloud-based servers.