Aqua Nautilus Reveals Millions of Potential Kinsing Attacks Daily
May 06 2024 - 5:30PM
Aqua Security, the pioneer in cloud native security, today
published a new report, "Kinsing Exposed: From Myth to Architecture
- A Complete Cybersecurity Chronicle.” Aqua Security’s research
team, Aqua Nautilus, invested years of research and analysis into
understanding Kinsing, identifying more than 75 applications
actively exploited by Kinsing. The comprehensive report highlights
the infrastructure, tactics, techniques and modus operandi of
Kinsing and highlights the threat posed by Kinsing to enterprises
worldwide.
First emerging as a cybersecurity threat in 2019, Kinsing
targeted cloud native infrastructure, such as misconfigured APIs,
but the threat actor quickly spread attacks across popular cloud
native applications globally. The Nautilus team has been at the
forefront of monitoring Kinsing's activities and named the malware
in 2020. Nautilus’ work shown in this report provides invaluable
intelligence to the cybersecurity community, offering strategies
for security teams to better mitigate associated risks.
Despite efforts to disrupt its activities, Kinsing continues to
evolve and adapt, posing a persistent challenge to organizations
worldwide. Nautilus found that on average, honeypots were targeted
by Kinsing eight times per day, with figures ranging from three to
fifty attacks in a 24-hour period.
Other key findings include:
- Rapid Botnet Vulnerability Integration:
Kinsing has shown repeatedly the ability to swiftly integrate to
its botnet exploits of newly discovered vulnerabilities in popular
cloud native applications.
- Global Impact: The Kinsing malware's reach
extends globally, with Shodan scans revealing potentially millions
of daily attacks, emphasizing the scale of the threat and the need
for international collaboration in defense efforts.
- Diverse Tactics: The report highlights how
Kinsing tailored its campaigns to maximize the impact of each
attack. For instance, by tailoring the main payload based on the
command interpreter. Kinsing is using dedicated scripts that run on
`sh` (Shell) command interpreter with basic features on Unix
systems, while on systems with `bash` (Bourne Again Shell), which
is an enhanced version of `sh` that includes additional features
(such as command line editing, job control, and improved scripting
capabilities), Kinsing is running more features.
"Kinsing's ongoing campaigns represent its dedication to
evolving its operation to add new vulnerabilities and
misconfigurations in cloud native environments. This adversary
often acts faster than the defenders and demonstrates the clear and
present danger to organizations of all sizes," emphasized Assaf
Morag, director of threat intelligence for Aqua Nautilus. "Our
report serves as a stark reminder of the pervasive risk posed by
Kinsing, and implores the cybersecurity community and leaders, such
as Aqua, to remain vigilant and united in the face of this
threat."
Armed with anonymity, Kinsing exploits vulnerabilities or
misconfigurations in applications, executes infection scripts,
deploys cryptominers often concealed by rootkits, and maintains
control over servers using the Kinsing malware. This multi-layered
approach further proves the need for robust cybersecurity measures
to detect, mitigate, and prevent insidious attacks from the
malware.
"The depth of detail presented in our report is a testament to
our team's longstanding commitment to understanding and combating
the threat of Kinsing," said Morag. "Through years of continuous
tracking and analysis, we are able to present a more holistic and
robust report that provides a comprehensive understanding of
Kinsing’s modus operandi and better tools to defend against
it."
To equip your security team with this new research and
recommendations for protection, download the new report first
discussed at RSA Conference 2024.
About Aqua NautilusAqua Nautilus is a security
research team whose mission is to analyze the evolving cloud native
threat landscape, uncovering new threats targeting containers,
Kubernetes, serverless, applications’ software supply chains and
cloud infrastructure. The team aims to help Aqua customers and the
community at large protect against the unknown, zero-day and
emerging threats, turning insights from real-world attacks into
powerful, intelligence-driven protection within the Aqua
Platform.
About Aqua SecurityAqua Security sees and stops
attacks across the entire cloud native application lifecycle in a
single, integrated Cloud Native Application Protection Platform
(CNAPP). From software supply chain security for developers to
cloud security and runtime protection for security teams, Aqua
helps customers reduce risk while building the future of their
businesses. Founded in 2015, Aqua is headquartered in Boston, MA
and Ramat Gan, IL protecting over 500 of the world’s largest
enterprises. For more information, visit
https://www.aquasec.com.
Contact:media@aquasec.com