The Kinsing malware, notorious for exploiting vulnerabilities in Linux cloud servers to deploy backdoors and cryptominers, has now set its sights on Apache Tomcat servers, a recent development that has raised concerns among cybersecurity experts.
The malware is employing innovative techniques to evade detection, hiding within seemingly harmless system files to establish persistence on compromised systems. This evolution in tactics by Kinsing underscores the importance of system administrators remaining vigilant against these emerging threats.
Kinsing’s modus operandi involves exploiting vulnerabilities in containers and servers to install backdoors and cryptominers. Recent findings have revealed multiple compromised servers, including an Apache Tomcat server with critical flaws that have been exploited by the malware.
Apache Tomcat, a widely used open-source server for serving static content, presents an attractive target for Kinsing due to its internet-facing nature. This exposure allows the malware to infiltrate the system, create hidden backdoors for persistence, and deploy cryptominers to hijack computing resources for cryptocurrency mining purposes.
One of the most alarming aspects of Kinsing’s tactics is the way it hides within unsuspecting locations on compromised Linux systems. The malware leverages three separate “man” page directories that are typically used for legitimate system documentation. By hiding within these directories, Kinsing can remain undetected for extended periods, as security personnel are less likely to scrutinize them for signs of malware.
Moreover, the presence of a directory associated with Kerberos authentication hints at potential attempts by the malware to bypass authentication mechanisms or elevate privileges. This unusual directory structure is a red flag for system administrators, signaling a possible malware installation on the compromised system.
Attackers are concealing the malware within legitimate system file directories on compromised Tomcat servers, such as /var/cache/man/, where harmless files are commonly stored. This tactic allows the malware to blend in with legitimate files and evade detection for extended periods, extending its lifespan on the compromised system.
According to cybersecurity firm Tenable, this technique has been observed in stealthy cryptojacking campaigns that have been leveraging outdated XMRig miners (v6.12.2) for nearly a year. XMRig is a legitimate open-source CPU miner for Monero, a privacy-focused cryptocurrency. The continued use of outdated versions of XMRig suggests a potential lack of maintenance by the attackers, providing an opportunity for detection and mitigation.
In conclusion, the expansion of Kinsing malware’s target to include Apache Tomcat servers underscores the evolving threat landscape faced by system administrators. By employing innovative techniques to evade detection and establish persistence on compromised systems, Kinsing poses a significant risk to organizations relying on Linux cloud servers and Apache Tomcat servers. System administrators must remain vigilant and proactive in implementing robust security measures to protect against evolving threats like Kinsing.