Hackers abuse misconfigured Docker servers to release Kinsing malware

Misconfigured Docker API ports left exposed without passwords used to spread new crypto-mining malware

Samples of Kinsing malware spread with the help of unprotected Docker API ports. Security researchers released a report on a new attack campaign that targets Docker servers and delivers Kinsing malware.^[1] By connecting to open API of Docker server, attackers can run files, and trigger shell scripts that lead to downloads of Kinsing malware and cryptocurrency-mining activities.^[2]

The campaign includes disabling other malware, security measures, cleaning logs, and creating commands before loading the main crypto-miner^[3] payload. The network can get infected by connecting to each device laterally, so malware can be activated in all the machines connected to the targeted network.

Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network.

Attacks started last year and are actively running to this day. There are many malware campaigns targeting Docker instances. These systems provide hackers and hacker groups access to many resources when an instance with the exposed API port gets compromised.^[4]

Cryptomining is not the only Kinsing malware campaign function

The usage of unprotected Docker API is the baseline of the malware campaign because this connection allows a hacker to run the Ubuntu container that includes a shell script that disables all the features and programs that may interfere with cryptomining malware activities. Another script that is released before any Kinsing payload execution collects information from host folders and configuration history folders. These files can be used to infect the network and spread throughout the network.

The last stage of the attack is leading the cryptocurrency miner malware after particular commands from the C&C server^[5] gets received. This is the main purpose oh Kinsing virus because it is a great way to make a profit from victims without actually contacting them, but there are secondary functions of the virus attack. Scripts that remove other malware can be triggered locally and throughout the network. Such functions can even go further and help infect other cloud systems connected to the container network with the malware.

Malware continuously target Docker instances

Unfortunately, Kinsing malware attacks are ongoing and can get more intrusive and stealthy in the future. Researchers recommend companies to up their security measures and review settings on their Docker servers and ensure that APIs are not exposed online. This is only the latest campaign of such type because Docker instances have been targeted by various malware creators, including botnets based on cryptocurrency mining.

It all started to occur in 2018, and many researchers detected attacks against Docker systems, including the Aqua Security team, who reported about this Kinsing malware campaign. Unfortunately, many reports followed after the first instances because in 2018, at least three separate attacks were detailed, and in 2019, three additional malware campaigns targeting Docker servers were reported.^[6]

Cryptojacking malware might become more and more popular, resulting in larger numbers of these campaigns and malware creators getting more stealthy and equipped. It shows that attackers can easily choose an unsecured docker and set remote commands to download and deploy malicious programs, tools that communicate with hacker-controlled servers and repeats these steps periodically to compromise as many hosts.

Worms and cryptojacking viruses may not involve sophisticated tactics or procedures. Still, new scripts launched continuously from the C2 server may lead to ransomware infections or another type of malware that sufficiently compromises hosts and leads to many issues.