Zoom into Kinsing

Post Details

Company

Sysdig

Date Published

Nov. 23, 2020

Author

Kaizhe Huang

Word Count

2,901

Language

English

Hacker News Points

-

Source URL

www.sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi

Summary

Kinsing is a malware known for targeting misconfigured cloud-native environments, exploiting vulnerabilities to run unauthorized containers and perform malicious activities such as crypto mining. By executing a suspicious shell script, Kinsing disables security services, removes system logs, and installs a crypto miner called Kdevtmpfsi, which occupies significant CPU resources and communicates with Command and Control (C2) servers. The malware leverages SSH keys for lateral movement across machines, posing threats to data integrity and service availability. Effective detection and mitigation require monitoring suspicious process, file, and network activities, which tools like Falco can assist with through predefined rules that identify anomalies, such as unauthorized package management and connections to known miner pools. Comprehensive monitoring and security solutions, like the Sysdig Secure DevOps Platform, are essential for correlating events and protecting cloud environments from such sophisticated attacks.