While the vulnerability has also been exploited to deploy some reverse shell, Kinsing remains the only major intrusion set based on our observation.
Within 24 hours of going online, our honeypots were compromised by Kinsing.
The first Kinsing intrusion was recorded two days later, on 11 November.
From 12 November 2023, between two and three Kinsing intrusions are recorded daily on each honeypots.
An xml payload is hosted on a web server controlled by Kinsing.
Overview of the Kinsing exploitation OpenWire traffic.
All Kinsing compromises of our honeypots were carried out by 2 IP addresses.
One of these was already used by Kinsing to exploit the Metabase vulnerability.
The URLs are stable over time, having been used by Kinsing in previous compromises dating back several months.
One of them, named getActiveC2Url, allows us to retrieve Kinsing C2s and connect to them.
Kinsing C2 order to download cryptominer - decryption with CyberChef.
Kinsing contains a large number of other functions commonly found in RATs.
For now, Kinsing IS only uses its malware to deploy cryptominer, but it offers a much wider range of possibilities.
Based on the monitoring of this mining pool, Kinsing wallet grows by on average 0.11 Monero per day.
Since 26 September 26 2022, the date of the first payment on this service, Kinsing has obtained in total 21.2286 Monero for its mining activity.
Compared with the number of machines potentially vulnerable to CVE 2023 46604 and other vulnerabilities actively exploited by Kinsing, this number seems low.
We found that Kinsing attacked almost simultaneously all our honeypots at fairly fixed times, around 6a.m, 12pm and 00pm. This suggests that Kinsing operates during these hours.
In total, in just over a year, Kinsing has generated 25 Monero on this Wallet, equivalent to around 3,750 euros at the November 2023 exchange rate.
Our honeypots went into production around ten days after the release of the proof of concept code, and were very quickly compromised by Kinsing.
Kinsing has a consistent and stable infrastructure which results in high hosting costs.
This Cyber News was published on blog.sekoia.io. Publication date: Mon, 11 Dec 2023 08:43:05 +0000