A new cryptojacking campaign has been discovered targeting Docker Engine API. This attack aims to hijack Docker instances and incorporate them into a malicious Docker Swarm controlled by the attackers. The campaign exploits exposed and unauthenticated Docker API endpoints to deploy cryptocurrency miners on compromised containers.
The attack process involves several steps:
- Scanning for vulnerable Docker API endpoints using tools like masscan and ZGrab.
- Deploying an Alpine container on compromised endpoints.
- Downloading and executing initialization scripts that set up the XMRig miner.
- Using additional scripts for lateral movement to other Docker, Kubernetes, and SSH endpoints.
The attackers employ various techniques to evade detection and maintain persistence, including:
- Using a rootkit to hide malicious processes
- Manipulating Docker Swarm for command and control purposes
- Adding backdoor SSH access
- Searching for and exfiltrating various credentials
While the identity of the threat actors remains unknown, their methods share similarities with a group called TeamTNT. This campaign highlights the ongoing vulnerability of Docker and Kubernetes services to cryptojacking attacks, emphasizing the need for proper security measures in cloud environments.