A newly discovered cryptojacking campaign has been identified targeting Docker and Kubernetes environments by exploiting vulnerabilities in the Docker Engine API for initial access.
Description
The attackers aim to hijack instances to join a malicious Docker Swarm controlled by threat actors [2] [4], deploying a cryptocurrency miner on compromised containers and moving laterally to other hosts running Docker [2] [4], Kubernetes [1] [2] [3] [4], or SSH [2] [4]. The campaign involves identifying unauthenticated and exposed Docker API endpoints [2] [4], spawning an Alpine container [1] [2] [4], and downloading the XMRig miner [2] [4]. To conceal the malicious miner process [2] [4], the attackers use the libprocesshider rootkit and spread malware to other Docker hosts in a worm-like manner [2] [4]. Additionally, the campaign includes compromising SSH servers by adding an SSH key and creating a new user named ftp for remote access [2] [4]. The malware also searches for credential files related to SSH [4], AWS [2] [4], Google Cloud [2] [4], and Samba [2] [4], uploading them to the C2 server [4]. The primary goal of the campaign is cryptojacking [3], using the XMRig miner to mine Monero cryptocurrency [3]. This campaign highlights the persistent threat of cryptojacking in services like Docker and Kubernetes [4], showcasing the ability to quickly spread and transform compromised systems into a botnet for further exploitation [4].
Conclusion
This campaign underscores the importance of securing Docker and Kubernetes environments to prevent cryptojacking attacks. Organizations should regularly update and patch their systems, implement strong access controls, and monitor for any suspicious activity to mitigate the risk of falling victim to such campaigns in the future. As cyber threats continue to evolve, staying vigilant and proactive in defending against cryptojacking is crucial for maintaining the security of digital assets.
References
[1] https://www.techradar.com/pro/security/docker-api-targeted-by-cryptojacking-campaign-looking-to-build-mega-botnet
[2] https://cybermind.in/new-cryptojacking-attack-targets-docker-api-to-create-malicious-swarm-botnet/
[3] https://cybersecuritynews.com/hackers-exploiting-docker-swarm/
[4] https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html