Cloud cryptomining is on the rise, exploiting the scalability and flexibility of cloud platforms to conduct illicit activities. Unlike traditional on-premises setups, cloud environments allow attackers to quickly deploy resources for cryptomining. According to research from Tenable, the prime example of this threat is the Kinsing malware, targeting cloud systems with alarming efficiency.
The Kinsing Threat
Kinsing is a well-known malware that has been around for a few years, primarily attacking Linux-based cloud infrastructure. It gains unauthorized access by exploiting various vulnerabilities, then installs backdoors and cryptocurrency miners. These miners use system resources for cryptomining, driving up costs and slowing down server performance.
Recent discoveries show that Kinsing is also attacking Apache Tomcat servers, using clever new methods to hide itself. By placing malicious files in unlikely locations, the malware avoids detection, making it harder for cybersecurity teams to spot and eliminate.
How Kinsing Operates
Kinsing is adept at finding and exploiting weaknesses in cloud servers and containers. Once it gains access, it spreads its malicious files in hidden places, like:
/var/cache/man/cs/cat1/: Usually used for command-line applications.
/var/cache/man/cs/cat3/: Typically for programming libraries.
/var/lib/gssproxy/rcache/: Related to Kerberos authentication services.
/var/cache/man/zh_TW/cat8/: Often used for system administration commands.
These are places where legitimate system files are usually found, making the malware blend in and avoid detection. This sneaky approach lets Kinsing stay active on compromised systems for long periods.
The malicious operation has been ongoing since mid-2023, with traces of Kinsing first appearing in China at the end of 2022. The malware contains a cryptominer called XMRig, which mines Monero, a privacy-focused cryptocurrency. The version of XMRig found was slightly outdated, but still effective.
Detecting and Defending Against Kinsing
Spotting malware like Kinsing requires advanced detection tools. Tenable Cloud Security recently introduced a new feature designed to enhance cloud security by identifying malware across various cloud systems. This added layer of protection helps mitigate the risks posed by threats like Kinsing.
As cloud cryptomining threats continue to grow, it's crucial for organizations to stay vigilant. By adopting advanced security measures and keeping their systems updated, companies can protect their cloud environments from being exploited.
Kinsing’s clever hiding tactics and relentless attacks on cloud infrastructure underscore the need for robust cybersecurity strategies. As attackers become more sophisticated, staying ahead of threats like Kinsing is more important than ever.