The recent surge in cryptomining attacks in cloud environments has been attributed to the scalability and flexibility of cloud platforms. Unlike traditional on-premises infrastructure, the cloud allows attackers to easily scale up resources, making it simpler for them to deploy resources rapidly for cryptomining.
One of the most prevalent threats in cloud cryptomining is the “Kinsing malware.” Cybersecurity researchers have discovered that this malware has been actively targeting the Apache Tomcat server by exploiting vulnerabilities. The Kinsing malware, a well-known Linux-based cloud infrastructure threat, aims to gain unauthorized access by exploiting vulnerabilities.
Hackers behind Kinsing typically utilize compromised systems to install backdoors or cryptominers. Once a system is infected, Kinsing uses system resources for cryptomining, resulting in increased costs and degraded server performance. The recent findings reveal that the group has been targeting Apache Tomcat servers through the Kinsing malware, concealing themselves in filesystems to maintain persistence.
These malicious campaigns leverage containers and server flaws to install backdoors and cryptominers. Multiple servers within a single environment, including an Apache Tomcat server with severe vulnerabilities, were infected simultaneously in one instance. Apache Tomcat, an open-source server used for publishing static content, presents an attractive target for Kinsing perpetrators.
To evade detection, the Kinsing malware employs unconventional methods to blend in with innocent system files in obscure locations. By hiding in areas where legitimate files are typically found, attackers increase the likelihood of their malware going unnoticed on compromised systems.
The malicious file detected in this attack was not new and was initially observed in China in late 2022. However, the specific attack on the Tomcat server started in mid-2023, with file creation dates spanning from June to July 2023, indicating over a year of undetected malicious activity. The malware utilizes an outdated version of the XMRig cryptominer, which mines the privacy-focused Monero cryptocurrency. A more current version of the XMRig cryptominer, version 6.21.2, is readily available for download on GitHub.
In conclusion, the growing trend of cryptomining attacks in the cloud underscores the importance of robust cybersecurity measures to mitigate such threats. As attackers continue to exploit vulnerabilities in cloud environments, organizations must remain vigilant and proactive in securing their cloud infrastructure to safeguard against cryptomining attacks like those perpetrated by the Kinsing malware.