As the Kinsing malware has shown, threat actors can capitalize on cloud misconfigurations and API vulnerabilities faster than ever
When a malware that targeted cloud native infrastructure was discovered in 2019, it was mostly used to exploit misconfigure application programming interfaces (APIs). By the next year, it had quickly spread to popular cloud native applications globally.
According to one firm that has been studying the malware for years, on average, honeypots targeting Kinsing attracted eight attacks per day, with figures ranging from three to 50 attacks within a 24-hour period. Other known characteristics include:
- The ability to swiftly integrate botnet exploits of newly discovered vulnerabilities in popular cloud native applications
- A global impact that potentially involves millions of daily attacks
- A diverse range of tactics used by threat actors to tailors campaigns to maximize the impact of each attack. For example, Kinsing’s feature set can be adapted to the command interpreter, being more basic on systems running the Bourne shell (sh), and more advanced on environments running the `bash` (Bourne-again shell)
- Armed with anonymity, Kinsing exploits vulnerabilities or misconfigurations in applications, executes infection scripts; deploys cryptominers often concealed by rootkits; and maintains control over servers
According to Zhihao Tan, Director of Solution Architects (APJ), Aqua Security, the firm disclosing its research: “Organizations need to recognize that the threat landscape in the world of cloud-native (apps) is very different from what we understood from the past. Due to the nature of how quickly and simply new off-the-shelf apps can be deployed, attackers such as Kinsing (can) exploit misconfigurations and achieve their goals in the victim organization. In such cases, default misconfigurations are exploited without needing the attacker to find an actual software vulnerability in the form of a CVE. As APJ organizations continue their digital transformations and embrace cloud native security solutions, it’s critical that they have a heightened awareness of (such) cybersecurity risks.”
