Today, Tenable โ the Exposure Management company, has disclosed that its Cloud Security Research Team has recently discovered that Kinsing malware, known for targeting Linux-based cloud infrastructures, is exploiting Apache Tomcat servers with new advanced stealth techniques.
Kinsing is a notorious malware family active for several years, primarily targeting Linux-based cloud infrastructure. Known for leveraging various vulnerabilities to gain unauthorised access, the threat actors behind the Kinsing malware typically deploy backdoors and cryptocurrency miners (cryptominers) on compromised systems. After infection, Kinsing uses system resources for cryptomining, which leads to higher costs and slower server performance.
Today Tenable has disclosed that Kinsing also attacks Apache Tomcat servers, and uses new techniques to hide itself on the filesystem, including utilising innocent and non-suspicious file locations for persistence.
โCloud cryptomining has become an emerging trend in recent years, powered by the scalability and flexibility of cloud platforms,โ said Ari Eitan, Manager – Research, Tenable. โUnlike traditional on-premises infrastructure, cloud infrastructure allows attackers to quickly deploy resources for cryptomining, making it easier to exploit. In this case, we’ve detected multiple Kinsing infected servers within a singular environment, including an Apache Tomcat server with critical vulnerabilities.โ
More information, including the teamโs technical findings and relevant indicators of compromise (IOCs), have been published on the Tenable blog.