Aqua Nautilus Reveals Millions of Potential Kinsing Attacks Daily

Aqua Security, the pioneer in cloud native security, recently published a new report, “Kinsing Exposed: From Myth to Architecture – A Complete Cybersecurity Chronicle.” Aqua Security’s research team, Aqua Nautilus, invested years of research and analysis into understanding Kinsing, identifying more than 75 applications actively exploited by Kinsing. The comprehensive report highlights the infrastructure, tactics, techniques and modus operandi of Kinsing and highlights the threat posed by Kinsing to enterprises worldwide.

First emerging as a cybersecurity threat in 2019, Kinsing targeted cloud native infrastructure, such as misconfigured APIs, but the threat actor quickly spread attacks across popular cloud native applications globally. The Nautilus team has been at the forefront of monitoring Kinsing’s activities and named the malware in 2020. Nautilus’ work shown in this report provides invaluable intelligence to the cybersecurity community, offering strategies for security teams to better mitigate associated risks.

Despite efforts to disrupt its activities, Kinsing continues to evolve and adapt, posing a persistent challenge to organisations worldwide. Nautilus found that on average, honeypots were targeted by Kinsing eight times per day, with figures ranging from three to fifty attacks in a 24-hour period.
Other key findings include:

• Rapid Botnet Vulnerability Integration: Kinsing has shown repeatedly the ability to swiftly integrate to its botnet exploits of newly discovered vulnerabilities in popular cloud native applications.
• Global Impact: The Kinsing malware’s reach extends globally, with Shodan scans revealing potentially millions of daily attacks, emphasising the scale of the threat and the need for international collaboration in defence efforts.
• Diverse Tactics: The report highlights how Kinsing tailored its campaigns to maximise the impact of each attack. For instance, by tailoring the main payload based on the command interpreter. Kinsing is using dedicated scripts that run on `sh` (Shell) command interpreter with basic features on Unix systems, while on systems with `bash` (Bourne Again Shell), which is an enhanced version of `sh` that includes additional features (such as command line editing, job control, and improved scripting capabilities), Kinsing is running more features.

“Kinsing’s ongoing campaigns represent its dedication to evolving its operation to add new vulnerabilities and misconfigurations in cloud native environments. This adversary often acts faster than the defenders and demonstrates the clear and present danger to organisations of all sizes,” emphasised Assaf Morag, director of threat intelligence for Aqua Nautilus. “Our report serves as a stark reminder of the pervasive risk posed by Kinsing, and implores the cybersecurity community and leaders, such as Aqua, to remain vigilant and united in the face of this threat.”

Armed with anonymity, Kinsing exploits vulnerabilities or misconfigurations in applications, executes infection scripts, deploys cryptominers often concealed by rootkits, and maintains control over servers using the Kinsing malware. This multi-layered approach further proves the need for robust cybersecurity measures to detect, mitigate, and prevent insidious attacks from the malware.

“The depth of detail presented in our report is a testament to our team’s longstanding commitment to understanding and combating the threat of Kinsing,” said Morag. “Through years of continuous tracking and analysis, we are able to present a more holistic and robust report that provides a comprehensive understanding of Kinsing’s modus operandi and better tools to defend against it.”