Virus Alert :Kinsing malware
Type: Cryptojacking Worm
Systems Affected: Docker containers
Docker is a technology that allows us to perform operating system level virtualization. A large number of organizations are using Docker to develop, deploy and run applications inside containers. Recently several cases of abuse of the systems running misconfigured Docker Engine have been reported. A new malware “Kinsing” is reported that hunts for misconfigured publicly exposed Docker services and infects them with containers that run crypto miners.
The malware's primary purpose is to mine cryptocurrency on the targeted Docker instance, but it also comes with secondary functions. These include running scripts that remove other malware that may be running locally, but also gathering local SSH credentials in an attempt to spread to a company's container network, to infect other cloud systems with the same malware.
The malware starts with identifying a misconfigured Docker API port that has been left open to the public internet. The malware accesses this open port and the Docker instance connected to it, and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptominer. In the final stage of the infection, Kinsing attempts to propagate to other containers and hosts.
CERT-In encourages to block following IOC’s:
URL’s:
hXXp://142[.]44.191.122/d.sh
hXXp://142[.]44.191.122/ kinsing/
hXXp://142[.]44.191.122/al.sh
hXXp://142[.]44.191.122/cron. sh
hXXp://142[.]44.191.122/
hXXp://142[.]44.191.122/ kinsing
hXXp://142[.]44.191.122/ex.sh
hXXp://185[.]92.74.42/w.sh
hXXp://185[.]92.74.42/d.sh
hXXp://217[.]12.221.244/
hXXp://217[.]12.221.24/d.sh
hXXp://217[.]12.221.244/ kinsing
hXXp://217[.]12.221.244/j.sh
hXXp://217[.]12.221.244/t.sh
hXXp://217[.]12.221.244/spr.sh
hXXp://217[.]12.221.244/spre. sh
hXXp://217[.]12.221.244/p.sh
hXXp://217[.]12.221.244/ Application.jar
hXXp://217[.]12.221.244/f.sh
hXXp://www[.]traffclick[.]ru/
hXXp://www[.]mechta-dachnika- tut[.]ru/
hXXp://www[.]rus-wintrillions- com[.]ru/
hXXp://rus-wintrillions-com[.] ru/
hXXp://stroitelnye- jekologicheskie-materialy2016[ .]ru
IP addresses:
45[.]10[.]88[.]102
91[.]215[.]169[.]111
193[.]33[.]87[.]219
Hashes:
0d3b26a8c65cf25356399cc5936a72 10
6bffa50350be7234071814181277ae 79
c4be7a3abc9f180d997dbb93937926 ad
Best Practices for Docker Security:
Never expose a docker daemon to the internet without a proper authentication mechanism. Note that by default the Docker Engine (CE) is NOT exposed to the internet.
Thoroughly check the security settings of Docker instances. In order to ensure that no administrative APIs give access to these instances via the Internet place these special APIs behind a firewall or only making them accessible via a VPN gateway if they need to be accessible online.
Otherwise, they should simply be disabled.
· Set quotas for docker resources to limit maximum usage for each resource. Refer below documentation for details
Enforce the principle of least privilege. For instance, restrict access to the daemon and encrypt the communication protocols it uses to connect to the network.
Use firewall rules to whitelist the incoming traffic to a small set of sources.
Never pull Docker images from unknown registries or unknown user namespaces.
Frequently check for any unknown containers or images in the system.
Reference:
- -targeted-by-cryptominer- malware/d/d-id/1337492
Post a Comment
PLEASE SUBMIT YOUR VALUABLE SUGGESTIONS TO GET PUBLISHED.