The Kinsing malware is targeting Kubernetes clusters by exploiting known vulnerabilities in container images and misconfigured PostgreSQL containers.
The malware has a history of targeting containerized environments for crypto mining, and the threat actors behind it have been known to exploit known vulnerabilities in order to gain access to target systems.
Microsoft’s Defender for Cloud team has recently observed an increase in attacks using these tactics, indicating that the threat actors are actively seeking out specific entry points, like PHPUnit, Liferay, Oracle WebLogic and WordPress.
Microsoft’s security team has also observed attacks targeting misconfigured PostgreSQL servers. Common misconfigurations that attackers may exploit include the “trust authentication” setting and assigning overly broad IP address ranges.
Attackers may also use ARP poisoning to spoof apps in a Kubernetes cluster in order to gain access.