January 10, 2023

The Kinsing malware is now actively infringing Kubernetes clusters, according to Microsoft’s Defender, by utilizing known flaws in container images and malfunctioning, exposed PostgreSQL containers.

“Recently, we identified a widespread campaign of Kinsing that targeted vulnerable versions of WebLogic servers,” reads a report by Microsoft security researcher Sunders Bruskin.

“Attacks start with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001).”

The most recent attack represents an increase in the use of two methods by Kinsing operators to gain initial access to a Linux server: exploiting a vulnerability in container images or misconfigured PostgreSQL database servers.

The attackers are now said to be exploiting PostgreSQL server misconfigurations to co-opt the Kinsing actor and gain an initial foothold, with the company observing a “large number of clusters” infected in this manner.

The misconfiguration is related to a trust authentication setting, which could be abused to connect to the servers without any authentication and achieve code execution if the option to accept connections from any IP address is enabled.

“In general, allowing access to a broad range of IP addresses is exposing the PostgreSQL container to a potential threat,” Bruskin explained.

The sources for this piece include an article in BleepingComputer.