Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL

The cryptomining malware, which typically targets Linux, is exploiting weaknesses in an open source container tool for initial access to cloud environments.

A malware that typically targets Linux environments for cryptocurrency mining has found a new target: vulnerable images and weakly configured PostgreSQL containers in Kubernetes that can be exploited for initial access, Microsoft has found.
Kinsing is a Golang-based malware best known for its targeting of Linux environments, but Microsoft researchers recently observed the
Kinsing malware
evolving its tactics, Microsoft security researcher Sunders Bruskin divulged in a
recently published report
.
Kubernetes, meanwhile, has become the standard open source tool for managing enterprise application deployment mainly because its cost-effective, offers autoscaling, and can run on any infrastructure. Indeed,
85% of IT leaders
consider Kubernetes extremely important to cloud-native strategies.
That Kinsing would begin to find new ways to
exploit Kubernetes
clusters is on brand for the malware, especially because Kubernetes, like the cloud itself, is
notoriously difficult to secure
. Attackers have found multiple holes in Kubernetes — including the discovery of more than
380,000 open Kubernetes API servers exposed
on the Internet — that have made it open season on cloud environments that use the management platform. Threat actors are even using compromised Kubernetes clusters to
launch further malicious attacks
.
Exposing the cluster to the Internet without proper security measures can leave it open to attack from external sources, Bruskin acknowledged in the post.
One of the new ways Kinsing is targeting Kubernetes environments is by targeting images that are vulnerable to remote code execution (RCE), the researchers found. This allows attackers with network access to exploit the container and run their malicious payload, they said.
In their observations, Microsoft researchers observed several application images frequently infected with Kinsing malware, including PHPUnit, Liferay, Oracle WebLogic, and WordPress, Bruskin wrote.
A series of high-severity vulnerabilities in WebLogic that Oracle revealed in 2020 —
CVE-2020-14882
,
CVE-2020-14750
, and
CVE-2020-14883
— have become particular targets of attackers wielding the Kinsing malware, which goes after unpatched WebLogic server images, researchers said.
Attacks begin with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001), Bruskin revealed.
If vulnerable, attackers can use one of the exploits to run their malicious payload (Kinsing, in this case), he wrote, using a malicious command.
Microsoft researchers also recently observed a significant amount of Kubernetes clusters running PostgreSQL containers that were infected with Kinsing. They attributed the infections to attackers targeting several common misconfigurations that expose these servers, they said.
One is to use the trust authentication setting to configure these containers, which means PostgreSQL will assume that anyone who can connect to the server is authorized to access the database with whatever database user name they specify.
However, in some cases, this range is wider than it should be or even accepts connections from any IP address (i.e. 0.0.0.0/0), Bruskin explained in the post. In such configurations, attackers can freely connect to the PostgreSQL servers without authentication, which may lead to code execution.
Some network configurations in Kubernetes also are prone to Address Resolution Protocol (ARP) poisoning, which allows attackers to impersonate applications in the cluster. This means that even specifying a private IP address in the trust configuration may pose a security risk, the researchers said. ARP is the process of connecting a dynamic IP address to a physical machines MAC address.
Indeed, as a general rule, configuring a PostgreSQL container to allow access to a broad range of IP addresses is exposing it to a potential threat, Bruskin warned.
Even if administrators dont configure it using an unsecured trust authentication method, attackers can brute-force PostgreSQL accounts, use denial-of-service (DoS) or distributed DoS (DDoS) attackers on the containers availability, or exploit the container and the database itself to compromise Kubernetes clusters, he wrote.
Researchers offered both general rules of thumb for enterprises implementing Kubernetes environments and specific mitigations to avoid exposing them to
attacks that target vulnerable images
and common PostgreSQL misconfigurations.
In general, security teams must remain aware of exposed containers and vulnerable images and try to mitigate the risk before they are breached, Bruskin advised.
Regularly updating images and secure configurations can be a game changer for a company when trying to be as protected as possible from security breaches and risky exposure, he wrote.
To mitigate the risk of implementing containers with vulnerable images, organizations can take several steps when deploying an image to the container, the researchers said. The first is to ensure that the image is from a known registry and that its been patched and updated to the latest version, they said.
Organizations should also scan all images for vulnerabilities, identifying which ones are vulnerable and what those vulnerabilities are, especially the ones that are used in exposed containers. Finally, the researchers said, minimizing access to the container by assigning access to specific IPs and applying the least privileges rule to the user can also prevent attackers from exploiting vulnerable images in Kubernetes environments.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft: Kinsing Targets Kubernetes via Containers, PostgreSQL