Destructive actors this sort of as Kinsing are getting benefit of each lately disclosed and older security flaws in Oracle WebLogic Server to produce cryptocurrency-mining malware.
Cybersecurity business Development Micro reported it uncovered the monetarily-motivated group leveraging the vulnerability to drop Python scripts with abilities to disable functioning method (OS) security functions these as Security-Enhanced Linux (SELinux), and other individuals.
The operators guiding the Kinsing malware have a background of scanning for vulnerable servers to co-decide them into a botnet, such as that of Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134).
The Kinsing actors have also been concerned in campaigns versus container environments through misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently distribute the malware to other containers and hosts.
The latest wave of assaults involves the actor weaponizing CVE-2020-14882 (CVSS score: 9.8), a two-calendar year-aged distant code execution (RCE) bug, in opposition to unpatched servers to seize command of the server and drop destructive payloads.
It is really really worth noting that the vulnerability has been exploited in the previous by numerous botnets to distribute Monero miners and the Tsunami backdoor on infected Linux units.
Thriving exploitation of the flaw was succeeded by the deployment of a shell script that is dependable for a collection of actions: Eradicating the /var/log/syslog procedure log, turning off security features and cloud provider brokers from Alibaba and Tencent, and killing competing miner procedures.
The shell script then proceeds to down load the Kinsing malware from a distant server, though also getting methods to be certain persistence by indicates of cron occupation.
“The profitable exploitation of this vulnerability can lead to RCE, which can enable attackers to carry out a plethora of malicious actions on affected programs,” Trend Micro reported. “This can assortment from malware execution […] to theft of critical info, and even entire handle of a compromised device.”
TeamTNT actors make a comeback with the Kangaroo Attack
The enhancement will come as researchers from Aqua Security discovered a few new attacks joined to yet another “lively” cryptojacking team termed TeamTNT, which voluntarily shut shop in November 2021.
“TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to obtain a shell script (k.sh) to a C2 server,” Aqua Security researcher Assaf Morag said.
What is actually noteworthy about the attack chain is that it appears to be designed to break SECP256K1 encryption, which, if thriving, could give the actor the capability to calculate the keys to any cryptocurrency wallet. Put in another way, the thought is to leverage the significant but unlawful computational power of its targets to run the ECDLP solver and get the important.
Two other attacks mounted by the team entail the exploitation of uncovered Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.
TeamTNT’s targeting of Docker Rest APIs has been well-documented above the earlier yr. But in an operational security blunder noticed by Development Micro, qualifications associated with two of the attacker-managed DockerHub accounts have been uncovered.
The accounts โ alpineos and sandeep078 โ are claimed to have been made use of to distribute a variety of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.
“The account alpineos was employed in exploitation tries on our honeypots 3 occasions, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their spot in Germany,” Development Micro’s Nitesh Surana stated.
“The danger actors ended up logged in to their accounts on the DockerHub registry and in all probability forgot to log out.” Alternatively, “the risk actors logged in to their DockerHub account applying the qualifications of alpineos.”
Development Micro explained the destructive alpineos image had been downloaded more than 150,000 periods, incorporating it notified Docker about these accounts.
It is really also recommending companies to configure the uncovered Relaxation API with TLS to mitigate adversary-in-the-middle (AiTM) attacks, as nicely as use credential outlets and helpers to host consumer credentials.
Observed this write-up appealing? Adhere to THN on Facebook, Twitter ๏ and LinkedIn to examine a lot more exclusive content we put up.
Some parts of this article are sourced from:
thehackernews.com