New Cryptojacking Attack Targeting Docker API to Create Malicious Swarm Botnet

A new cryptojacking campaign has been discovered targeting Docker Engine API. This attack aims to hijack Docker instances and incorporate them into a malicious Docker Swarm controlled by the attackers. The campaign exploits exposed and unauthenticated Docker API endpoints to deploy cryptocurrency miners on compromised containers.

The attack process involves several steps:

  1. Scanning for vulnerable Docker API endpoints using tools like masscan and ZGrab.
  2. Deploying an Alpine container on compromised endpoints.
  3. Downloading and executing initialization scripts that set up the XMRig miner.
  4. Using additional scripts for lateral movement to other Docker, Kubernetes, and SSH endpoints.

The attackers employ various techniques to evade detection and maintain persistence, including:

  • Using a rootkit to hide malicious processes
  • Manipulating Docker Swarm for command and control purposes
  • Adding backdoor SSH access
  • Searching for and exfiltrating various credentials

While the identity of the threat actors remains unknown, their methods share similarities with a group called TeamTNT. This campaign highlights the ongoing vulnerability of Docker and Kubernetes services to cryptojacking attacks, emphasizing the need for proper security measures in cloud environments.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.