Coinminer Kinsing botnet is found using the recently discovered Salt Stack vulnerability CVE-2020-11651. It’s an authentication bypass vulnerability reported earlier today. This malware operation has been scanning the internet for Docker servers running API ports exposed on the internet without a password. Hackers are then breaking into unprotected hosts and installing a new crypto-mining malware strain named Kinsing. These attacks are just the last in a long list of malware campaigns that have targeted Docker instances. In this campaign, attackers are targeting the SaltStack authentication bypass vulnerability to deploy Kinsing malware.
The target is, systems that, when compromised, provide hacker groups with unfettered access to vast computational resources. It may also gather local SSH credentials in an attempt to spread to a company’s container network, to infect other cloud systems with the same malware.