For the past few months, an organized attack campaign is targeting misconfigured open Docker Daemon API ports to spread the Kinsing malware which is designed for crypto mining.
The Kinsing malware is a Linux-based malware that contains a crypto miner that spreads through containers with the purpose of mining the Bitcoin cryptocurrency.
According to Gal Singer, a cybersecurity researcher at Aqua, the number of attacks against Dockers has exceedingly increased since the beginning of 2020. These attacks, still ongoing, are carried out by knowledgeable actors with adequate resources.
These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date. We, therefore, believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.
Attackers first identify misconfigured Docker Daemon API ports that have been left open without a password on the internet, then instantiate an Ubuntu container with a command that would deliver the Kinsing malware and initiate crypto mining. The command has other functions including killing other applications especially other malware and crypto miners and deleting their files and terminating rival malicious Docker containers.
How does Kinsing affect Docker Container?
The Kinsing malware is a Golang-based Linux agent that uses multiple Go libraries to communicate with a command and control (C2) server, monitor systems and processes, execute binaries, and create a disk-backed key-value store to store data.
Cryptomining attacks against Dockers have happened before; back in October 2019, researchers from Palo Alto Networks discovered that more than 2,000 insecure Docker services were exposed to the public web.
Aqua recommends several steps to mitigate risks including reviewing security policies such as the authorization and authentication policies, identifying all cloud resources and classifying them by some logical structure, and investigating logs.