Warning over spike in attacks on exposed Docker platforms

Attackers have already scanned nearly 59,000 IP networks, claim researchers

Security researchers have warned of a campaign of internet scanning activity by a group of hackers hunting for Docker platforms with exposed API endpoints.

Exposed platforms are then compromised with cryptomining malware.

The campaign started on 24^th November, according to Troy Mursch, chief research officer of cyber-threar intelligence firm Bad Packets, who first noticed the activity and its sheer size.

"What set this campaign apart was the large uptick of scanning activity. This alone warranted further investigation to find out what this botnet was up to," Mursch told ZDNet.

He added that it wasn't the work of 'script kiddies'. He continued: "There was a moderate level of effort put into this campaign, and we haven't fully analysed every single thing it does as of yet."

https://twitter.com/bad\\_packets/status/1199087675833085959?ref\\_src=twsrc%5Etfw

The group behind this campaign has scanned nearly 59,000 IP networks in search of exposed Docker instances.

After detecting an exposed host, the attackers start-up an Alpine Linux container. They also run a command to download a Bash script from their command-and-control server, which installs an XMRRig crypotminer.

During the first two days of the malware operation, hackers were able to steal 14.82 Monero (XMR) coins, worth $740, according to Mursch.

Another particular feature of this campaign is its self-defence mechanism that enables attackers to uninstall known security products and to kill a number of processes with the aid of another script.

Moreover, attackers can also shut down processes associated with rival cryptomining botnets.

At present, Mursch advises all users running Docker instances to ensure that they are not exposing API endpoints on the internet. If so, they should close each exposed port and terminate unrecognised running containers.

However, this is not the first time that attackers have tried to target insecure Docker platforms. Last month, security researchers discovered a new cryptojacking worm, dubbed Graboid, which they said was spreading via insecure containers running on the Docker Engine.

In April, Docker admitted to a breach of its Hub database of container images, exposing the details of approximately 190,000 users.

In June, Unit42 researchers warned that more than 40,000 Kubernetes and Docker containers were discoverable on the internet - with many exposing personal information on databases that should not be publicly accessible.