Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers

Cloud cryptomining has surged in recent years due to the scalability and flexibility of cloud platforms. This trend makes it easier for attackers to exploit vulnerabilities and deploy resources for cryptomining quickly. A significant threat in this landscape is the Kinsing malware, notorious for targeting Linux-based cloud infrastructure. It typically exploits vulnerabilities to gain unauthorized access, deploying backdoors and cryptocurrency miners on compromised systems. Recently, Kinsing has expanded its targets to include Apache Tomcat servers, using new techniques to hide itself in innocuous file locations for persistence.

Security Officer Comments:
According to Tenable's report, the malware strategically hides in atypical spots like 'man' pages, banking on the assumption that defenders are unlikely to look there, thereby enhancing its stealth capabilities. Despite being active since late 2022, Kinsing's actions on Tomcat servers remained undetected until mid-2023. This malware includes the XMRig cryptominer for Monero mining.

Suggested Corrections:
Organizations often face challenges in mitigating vulnerabilities, particularly when assets and services are distributed across various cloud infrastructures. Many companies have found it beneficial to employ management tools for comprehensive inventory, tracking, and assessment of asset health within cloud environments. With the continual influx of vulnerability disclosures on a weekly, or even daily basis, organizations struggle to prioritize which vulnerabilities demand immediate attention.

There isn't a one-size-fits-all solution or scale for companies to determine which vulnerabilities require immediate attention. The prioritization of vulnerabilities depends on factors such as the type of business, available resources, and the clientele they serve.