Threat actors are using vulnerabilities in the PostgreSQL containers.

The Microsoft Defender for Cloud security team reports that Kinsing malware is actively breaching Kubernetes clusters. On January 5, Sunders Bruskin, a Security Researcher at Microsoft Defender for Cloud, detailed the methodologies of the exploits and recommended mitigations in a blog post.

“Kinsing is a known malware that targets Linux environments for cryptocurrency purposes”, Bruskin writes. “Kinsing uses some unique techniques that target containerized environments, making it also common in Kubernetes clusters.”

The malefactors behind Kinsing are known for exploiting known vulnerabilities to breach targets and establish persistence. Examples of this behaviour are Log4Shell, and, more recently, an Atlassian Confluence RCE.

Bruskin’s blog post focuses on a specific angle of Kinsing, namely the initial access techniques in Kubernetes environments. These methods were observed specifically in Microsoft Defender for Cloud.

“While Kinsing uses multiple initial access vector techniques”, he writes, “we recently observed two methods that are especially common: exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images”.

Exploiting vulnerable images

Bruskin notes that many of the images were vulnerable to remote code execution, allowing attackers with network access to exploit the container and run their malicious payload. Some examples of applications that were particularly vulnerable include: PHPUnit, Liferay, WebLogic and WordPress.

To mitigate this vulnerability, Bruskin recommends that users scan all images for vulnerabilities to identify which ones are vulnerable and what the vulnerabilities are, especially the ones that are used in exposed containers. One can also mitigate the risk by minimizing access to the container, he adds.

Exploiting vulnerable PostgreSQL

The second method to get access and run malicious payloads uses misconfigured and exposed PostgreSQL servers. “In general, allowing access to a broad range of IP addresses is exposing the PostgreSQL container to a potential threat”, Bruskin says.

To mitigate this risk, users should use a tool (such as Microsoft Defender) to identify permissive settings and misconfigurations of PostgreSQL server containers that are exposed to the internet. “In this way, an organization can mitigate the risk before the container gets compromised”, according to Bruskin.