What was the nature of the compromise?

The compromised image contained malicious code that performed cryptojacking operations by connecting to pool.supportxmr.com for cryptocurrency mining. The compromised image hash was sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43.

How did the breach occur?

A DockerHub Personal Access Token (PAT) used for uploading release images was compromised prior to December 23rd. The attacker used this compromised PAT to upload a malicious version of the 3.4.0 release image directly to DockerHub.

What was the timeline of the incident?

The incident affected systems between December 22nd, 2024, and January 3rd, 2025. The Kong team removed version 3.4.0 and associated tags from DockerHub on January 2nd, 2025, and released a patched version 3.4.1 on the same day.

What are the clean image hashes for the fixed version?

The fixed image hashes for the clean, re-tagged version 3.4.0 are: AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f and ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee

What actions should users take?

Users should remove the compromised image from all internal registries and clusters, pull and deploy either version 3.4.1 or the clean, re-tagged version 3.4.0 with verified hashes, and monitor system resources for any unusual CPU usage that might indicate ongoing cryptomining activity.

Advisory

Supply chain breached in Kong DockerHub, malilcious Kong Ingress Controller version 3.4.0 uploaded

Q: What happened in the Kong security breach?

On December 23rd, 2024, an unauthorized actor gained access to Kong's DockerHub account and compromised the Kong Ingress Controller version 3.4.0 by replacing the legitimate image with a malicious version. The breach was discovered on December 29th, 2024, when a user reported high CPU usage.

Q: What are the potential impacts of the cryptojacking attack?

The attack could result in increased resource consumption, higher energy costs, introduction of additional security vulnerabilities or backdoors, and potential unauthorized access to affected systems.

published: Jan. 14, 2025

Take action: If you are using Kong Ingress Controller, time to act now: Immediately remove the compromised version 3.4.0 image from all systems and registries, then deploy either the patched 3.4.1 release or the clean re-tagged 3.4.0 (ensuring to verify the image hashes), and monitor their systems' CPU usage and DNS requests to pool.supportxmr.com for any signs of ongoing cryptomining that would indicate compromise.

Learn More

On December 23rd, 2024, a security breach occurred in the software supply chain of Kong when an unauthorized actor gained access to Kong's DockerHub account and compromised the Kong Ingress Controller version 3.4.0 by replacing the legitimate image with a malicious version.

The security breach was discovered when a user reported high CPU usage on December 29th, 2024. The compromised image (hash: sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) contained malicious code that performed cryptojacking operations by connecting to pool.supportxmr.com for cryptocurrency mining purposes.

A DockerHub Personal Access Token (PAT) used for uploading release images was compromised prior to December 23rd. The attacker leveraged the compromised PAT to upload a malicious version of the 3.4.0 release image directly to DockerHub. The incident affected systems between December 22nd, 2024, and January 3rd, 2025

The Kong team removed of version 3.4.0 and all associated tags from DockerHub January 2nd, 2025, rotated all DockerHub access keys and releases a patched version 3.4.1 on January 2nd, 2025, which removed the unauthorized cryptojacking code.

Clean Image Hashes: The fixed image hashes for the clean, re-tagged version 3.4.0 are:

AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f
ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee

The cryptojacking attack could potentially result in increased resource consumption, higher energy costs, introduction of additional security vulnerabilities or backdoors and potential unauthorized access to affected systems

Users of Kong Ingress Controller are advised to:

Remove the compromised image immediately from all internal registries and clusters
Pull and deploy either version 3.4.1 or the clean, re-tagged version 3.4.0 with verified hashes
Monitor system resources for any unusual CPU usage that might indicate ongoing cryptomining activity

Supply chain breached in Kong DockerHub, malilcious Kong Ingress Controller version 3.4.0 uploaded

Read More
GNU C Library flaw allows local attackers to …
Microsoft SQL servers under attack, used to deploy …
Broadcom Brocade Fabric SAN vulnerability actively exploited
Version of Mirai botnet exploits vulnerability in Mitel …
Critical MS Exchange Server vulnerability actively attacked, one …