Researchers Detect Ambitious Bitcoin Mining Malware Campaign Targeting 1,000s Daily

Published at:
Technology
Bitcoin
Mining
Crimes
Security
Malware
Cryptojacking

Cybersecurity researchers have identified a persistent and ambitious campaign that targets thousands of Docker servers daily with a Bitcoin (BTC) miner.

In a report published on April 3, Aqua Security issued a threat alert over the attack, which has ostensibly “been going on for months, with thousands of attempts taking place nearly on a daily basis.” The researchers warn: 

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.”

Such scope and ambition indicate that the illicit Bitcoin mining campaign is unlikely to be “an improvised endeavor,” as the actors behind it must be relying on significant resources and infrastructure.

Kinsing malware attack volumes, Dec. 2019-March 2020. Source: Aqua Security blog

Using its virus analysis tools, Aqua Security has identified the malware as a Golang-based Linux agent, known as Kinsing. The malware propagates by exploiting misconfigurations in Docker API ports. It runs an Ubuntu container, which downloads Kinsing and then attempts to spread the malware to further containers and hosts. 

The campaign’s end-goal — achieved by first exploiting the open port and then carrying through with a series of evasion tactics — is to deploy a crypto miner on the compromised host, the researchers say.

Infographic showing the full flow of a Kinsing attack. Source: Aqua Security blog

Security teams need to up their game, says Aqua

Aqua’s study provides detailed insight into the components of the malware campaign, which stands out as a forceful example of what the firm claims is “the growing threat to cloud native environments.”

Attackers are upping their game to mount ever more sophisticated and ambitious attacks, the researchers note. In response, enterprise security teams need to develop a more robust strategy to mitigate these new risks.

Among their recommendations, Aqua proposes that teams identify all cloud resources and group them in a logical structure, review their authorization and authentication policies, and adjust basic security policies according to a principle of “least privilege.”

Teams should also investigate logs to locate user actions that register as anomalies, as well as implement cloud security tools to strengthen their strategy. 

Growing awareness

Last month, Singapore-based unicorn startup Acronis published the results of its latest cybersecurity survey. It revealed that 86% of IT professionals are concerned about cryptojacking — the industry term for the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

Related Posts
BlackBerry Partners With Intel to Launch a Cryptojacking Detection System   June 17, 2020
Consumer-Targeted Cryptojacking Is ‘Essentially Extinct’: Research   April 27, 2019
Devs at Blogging Platform Ghost Take Down Crypto-Mining Malware Attack   May 4, 2020
Ukrainian Man Faces up to 6 Years in Jail for Cryptojacking on His Own Websites   March 27, 2019
Malwarebytes' Cybercrime Q2 2018 Report: Cryptojacking is Plateauing in Response to Markets   July 18, 2018