Malicious actors corresponding to Kinsing are profiting from each not too long ago disclosed and older safety flaws in Oracle WebLogic Server to ship cryptocurrency-mining malware.
Cybersecurity firm Pattern Micro mentioned it discovered the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable working system (OS) safety features corresponding to Safety-Enhanced Linux (SELinux), and others.
The operators behind the Kinsing malware have a historical past of scanning for weak servers to co-opt them right into a botnet, together with that of Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134).
The Kinsing actors have additionally been concerned in campaigns in opposition to container environments through misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently unfold the malware to different containers and hosts.
The most recent wave of assaults entails the actor weaponizing CVE-2020-14882 (CVSS rating: 9.8), a two-year-old distant code execution (RCE) bug, in opposition to unpatched servers to grab management of the server and drop malicious payloads.
It is value noting that the vulnerability has been exploited prior to now by a number of botnets to distribute Monero miners and the Tsunami backdoor on contaminated Linux programs.
Profitable exploitation of the flaw was succeeded by the deployment of a shell script that is liable for a sequence of actions: Eradicating the /var/log/syslog system log, turning off safety features and cloud service brokers from Alibaba and Tencent, and killing competing miner processes.
The shell script then proceeds to obtain the Kinsing malware from a distant server, whereas additionally taking steps to make sure persistence by way of cron job.
“The profitable exploitation of this vulnerability can result in RCE, which might permit attackers to carry out a plethora of malicious actions on affected programs,” Pattern Micro mentioned. “This may vary from malware execution […] to theft of crucial knowledge, and even full management of a compromised machine.”
TeamTNT actors make a comeback with the Kangaroo Assault
The event comes as researchers from Aqua Safety recognized three new assaults linked to a different “vibrant” cryptojacking group known as TeamTNT, which voluntarily shut store in November 2021.
“TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container picture, with a command line to obtain a shell script (okay.sh) to a C2 server,” Aqua Safety researcher Assaf Morag mentioned.
What’s notable concerning the assault chain is that it seems to be designed to interrupt SECP256K1 encryption, which, if profitable, might give the actor the power to calculate the keys to any cryptocurrency pockets. Put otherwise, the concept is to leverage the excessive however unlawful computational energy of its targets to run the ECDLP solver and get the important thing.
Two different assaults mounted by the group entail the exploitation of uncovered Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.
TeamTNT’s focusing on of Docker REST APIs has been well-documented over the previous 12 months. However in an operational safety blunder noticed by Pattern Micro, credentials related to two of the attacker-controlled DockerHub accounts have been uncovered.
The accounts – alpineos and sandeep078 – are mentioned to have been used to distribute quite a lot of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.
“The account alpineos was utilized in exploitation makes an attempt on our honeypots 3 times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” Pattern Micro’s Nitesh Surana mentioned.
“The risk actors have been logged in to their accounts on the DockerHub registry and possibly forgot to sign off.” Alternatively, “the risk actors logged in to their DockerHub account utilizing the credentials of alpineos.”
Pattern Micro mentioned the malicious alpineos picture had been downloaded greater than 150,000 occasions, including it notified Docker about these accounts.
It is also recommending organizations to configure the uncovered REST API with TLS to mitigate adversary-in-the-middle (AiTM) assaults, in addition to use credential shops and helpers to host person credentials.
