The cryptojacking group known as Kinsing has demonstrated an ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to the exploit arsenal and expand its botnet.
被称为Kinsing的加密货币挖矿组织展示了持续进化和适应的能力,通过迅速整合新披露的漏洞到利用武器库中,扩展其僵尸网络,证明了其是一个持久的威胁。
The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019.
这些发现来自云安全公司Aqua,该公司描述了这个威胁行为者自2019年以来一直积极组织非法加密货币挖矿活动。
Kinsing (aka H2Miner), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was first documented by TrustedSec in January 2020.
Kinsing(又名H2Miner),这个名称既指代了恶意软件,也指代了背后的对手,一直在不断扩展其工具包,利用新的漏洞招募感染系统加入加密货币挖矿僵尸网络。它于2020年1月首次被TrustedSec记录。
In recent years, campaigns involving the Golang-based malware have weaponized various flaws in Apache ActiveMQ, Apache Log4j, Apache NiFi, Atlassian Confluence, Citrix, Liferay Portal, Linux, Openfire, Oracle WebLogic Server, and SaltStack to breach vulnerable systems.
近年来,涉及基于Golang的恶意软件的活动利用了Apache ActiveMQ、Apache Log4j、Apache NiFi、Atlassian Confluence、Citrix、Liferay Portal、Linux、Openfire、Oracle WebLogic Server和SaltStack中的各种漏洞,来入侵易受攻击的系统。
Other methods have also involved exploiting misconfigured Docker, PostgreSQL, and Redis instances to obtain initial access, after which the endpoints are marshaled into a botnet for crypto-mining, but not before disabling security services and removing rival miners already installed on the hosts.
其他方法还涉及利用错误配置的Docker、PostgreSQL和Redis实例来获得初始访问权限,之后将终端点编入一个用于加密挖矿的僵尸网络中,但在此之前会禁用安全服务并删除已在主机上安装的竞争性矿工。
Subsequent analysis by CyberArk in 2021 unearthed commonalities between Kinsing and another malware called NSPPS, concluding that both the strains "represent the same family."
2021年CyberArk的进一步分析发现了Kinsing和另一种名为NSPPS的恶意软件之间的共同点,得出结论称两者"代表了同一个家族"。
Kinsing's attack infrastructure falls into three primary categories: Initial servers used for scanning and exploiting vulnerabilities, download servers responsible for staging payloads and scripts, and command-and-control (C2) servers that maintain contact with compromised servers.
Kinsing的攻击基础设施分为三个主要类别:用于扫描和利用漏洞的初始服务器,负责分阶段传送负载和脚本的下载服务器,及用于与受损服务器保持联系的指挥和控制(C2)服务器。
The IP addresses used for C2 servers resolve to Russia, while those that are used to download the scripts and binaries span countries like Luxembourg, Russia, the Netherlands, and Ukraine.
用于C2服务器的IP地址解析为俄罗斯,而用于下载脚本和二进制文件的IP地址跨越卢森堡、俄罗斯、荷兰和乌克兰等国家。
"Kinsing targets various operating systems with different tools," Aqua said. "For instance, Kinsing often uses shell and Bash scripts to exploit Linux servers."
"Kinsing以不同的工具攻击各种操作系统," Aqua说。"例如,Kinsing经常使用Shell和Bash脚本来利用Linux服务器。"
"We've also seen that Kinsing is targeting Openfire on Windows servers using a PowerShell script. When running on Unix, it's usually looking to download a binary that runs on x86 or ARM."
"我们还发现Kinsing正在利用PowerShell脚本针对Windows服务器上的Openfire。在Unix上运行时,它通常会尝试下载在x86或ARM上运行的二进制文件。"
Another notable aspect of the threat actor's campaigns is that 91% of the targeted applications are open-source, with the group mainly singling out runtime applications (67%), databases (9%), and cloud infrastructure (8).
该威胁行为者活动的另一个显着特点是,91%的目标应用程序是开源的,该组主要针对运行时应用程序(67%)、数据库(9%)和云基础设施(8%)。
An extensive analysis of the artifacts has further revealed three distinct categories of programs -
-
Type I and Type II scripts, which are deployed post initial access and are used to download next-stage attack components, eliminate competition, evade defenses by disabling firewall, terminate security tools like SELinux, AppArmor, and Aliyun Aegis, and deploy a rootkit to hide the malicious processes
Type I和Type II脚本,这些脚本在初始访问后部署,并用于下载下一阶段的攻击组件,通过禁用防火墙、终止像SELinux、AppArmor和Aliyun Aegis这样的安全工具来逃避防御,部署rootkit来隐藏恶意进程。
-
Auxiliary scripts, which are designed to accomplish initial access by exploiting a vulnerability, disable specific security components associated with Alibaba Cloud and Tencent Cloud services from a Linux system, open a reverse shell to a server under the attacker's control, and facilitate the retrieval of miner payloads
辅助脚本,旨在通过利用漏洞实现初始访问,从Linux系统中禁用与阿里云和腾讯云服务相关的特定安全组件,打开到攻击者控制下的服务器的反向shell,并促进矿工负载的检索。
-
Binaries, which act as a second-stage payload, including the core Kinsing malware and the crypto-miner to miner Monero
二进制文件,作为第二阶段负载,包括核心Kinsing恶意软件和用于挖矿Monero的加密挖矿程序。
The malware, for its part, is engineered to keep tabs on the mining process and share its process identifier (PID) with the C2 server, perform connectivity checks, and send execution results, among others.
恶意软件本身被设计为监视挖矿过程,并与C2服务器分享其进程标识符(PID),执行连接检查,发送执行结果等。
"Kinsing targets Linux and Windows systems, often by exploiting vulnerabilities in web applications or misconfigurations such as Docker API and Kubernetes to run cryptominers," Aqua said. "To prevent potential threats like Kinsing, proactive measures such as hardening workloads pre-deployment are crucial."
"Kinsing针对Linux和Windows系统,经常利用Web应用程序中的漏洞或诸如Docker API和Kubernetes之类的配置错误来运行加密挖矿器," Aqua说。"要防止Kinsing等潜在威胁,关键的预防措施如加固工作负载在部署前至关重要。"
The disclosure comes as botnet malware families are increasingly finding ways to broaden their reach and recruit machines into a network for carrying out malicious activities.
这一披露表明,僵尸网络恶意软件家族正越来越找到方法扩大其范围,并招募机器加入网络进行恶意活动。
This is best exemplified by P2PInfect, a Rust malware that has been found to exploit poorly-secured Redis servers to deliver variants compiled for MIPS and ARM architectures.
这最好体现在P2PInfect身上,这是一种Rust恶意软件,已被发现利用安全性较差的Redis服务器传递为MIPS和ARM架构编译的变体。
"The main payload is capable of performing various operations, including propagating and delivering other modules with filenames that speak for themselves like miner and winminer," Nozomi Networks, which discovered samples targeting ARM earlier this year, said.
"主要负载能够执行各种操作,包括传播和传递具有自解释文件名的其他模块,如矿工和winminer," Nozomi Networks在今年早些时候发现针对ARM的样本时说。
"As its name suggests, the malware is capable of performing Peer-to-Peer (P2P) communications without relying on a single Command and Control server (C&C) to propagate attackers' commands."
"正如其名称所示,该恶意软件能够进行点对点(P2P)通信,而不依赖于单个命令和控制服务器(C&C)来传播攻击者的命令。"
参考资料
[1]https://thehackernews.com/2024/05/kinsing-hacker-group-exploits-more.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):Kinsing黑客组织利用更多漏洞扩大加密挖矿僵尸网络
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论