Docker Servers Affected by New Kinsing Malware Campaign

For the last few months, a malware campaign was aimed at scanning Docker servers running API ports lacking passwords and exposed on the internet. Attackers were breaking into these hosts and using them to install Kingsing – a new cryptomining malware.

The attacks began last year, according to the cloud security company Aqua Security, detailing the campaign's actions in a blog post recently.

The attacks were just one part in a list of malware campaigns targeted at Docker instances. That allows the attackers to use the systems and their vast resources for whatever nefarious deeds they may have in mind.

Aqua Security researcher Gal Singer mentioned once the hackers spot a Docker instance using an exposed API port, they use that port to access and setup an Ubuntu container. That instance is then used to install the Kinsing malware.

The main purpose of the malware is to mine cryptocurrency on the affected Docker instances. The threat has more to it than that, since it includes scripts that get rid of other malware. It also gathers local SSH credentials and has the ability to spread in the container network of the company, infecting other cloud systems.

Since the Kinsing malware attacks are still active, Aqua Security made recommendations that companies double check their security on any Docker instances. Ensuring no administrative APIs are exposed online. Admin endpoints should be protected behind a VPN gateway or a firewall if they need to be online, but they should be disabled when not in use.

The recent Kingsing campaign is only the latest in a long list of attacks aimed at Docker instances, using cryptomining botnets. The attacks were noticed for the first time during spring 2018. Sysdig and Aqua were the first companies that noticed the activity at that time.

More attacks followed ever since, with reports detailing the attacks released by Trendo Micro, Juniper Networks, Imperva, Alibaba Cloud and Palo Alto Networks.

One of the more common ways of Trojans like Kinsing find themselves on vulnerable systems is when they're downloaded willingly. Once the users open the disguised threat, the Trojans often gain free reign inside the system. The access given to the malware forces machines to carry out cryptocurrency mining in this case, but some threats may be used to spread more spam or propagate further. Kinsing is interesting in the way it eliminates rival threats from systems it infects, making sure it has no competition while it does its job.