“By hooking these functions, the Kinsing rootkit can effectively control how the operating system interacts with files, directories, and file information,” the researchers said. “This allows the rootkit to hide its presence and the presence of other malware, manipulate file operations and maintain persistence on the infected system. Such manipulations can be very challenging to detect and remove.”
Kinsing targets a long list of applications
Aqua’s report contains a long list of targeted applications for which attackers have exploits or known misconfigurations. Around 70 are open-source software and seven are proprietary. Forty-two can be described as runtime applications, nine are database applications, eight are related to cloud infrastructure, one to code management, one is a CI/CD platform, and one is a security-related application.
The list includes popular technologies like insecure Docker API and Kubernetes deployments, containerd, php, Jenkins, GitLab, Citrix, Magento, Apache Hadoop, the Apache web server, Laravel, Redis, WordPress, PostgreSQL, MongoDB, Atlassian Confluence, Apache Kafka, Apache ActiveMQ, Flink, WeaveScope and many more.
