Hackers Mass-Scanning Web for Docker Platforms to Mine Cryptocurrencies

Published at: Nov. 27, 2019

A group of hackers has launched a new cryptojacking campaign on Nov. 24, scanning as many as 59,000 IP networks to find Docker platforms that have API endpoints exposed online, business technology publication ZDNet reports Nov. 26.

According to the report, the campaign is targeting vulnerable Docker instances in order to deploy crypto-malware to generate funds for the hacking group by mining Monero (XMR).

The mass scanning issue was first discovered by American internet security firm Bad Packets LLC on Nov. 25.

Troy Mursch, chief research officer and co-founder of Bad Packets LLC, said that exploit activity targeting exposed Docker instances is not new and happens quite often. In March 2018, cybersecurity company Imperva reported that 400 Docker servers — which were remotely accessible through an API weakness — contained Monerno mining programs.

Hackers used a “classic” XMR crypto miner

Mursch, who reportedly discovered the campaign, told ZDNet that once the hacking group manages to identify an exposed host, attackers deploy the API endpoint to start an Alpine Linux OS container to run a command that downloads and runs a Bash script from the attackers’ server. That script then reportedly installs a “classic XMRRig cryptocurrency miner.”

According to Mursch, hackers mined 14.82 XMR in the two days the Docker-targeting campaign has been active, which is worth $835 at press time.

Docker is a developer tool designed to simplify processes of creating, deploying and running software by using containers. Containers allow developers to package up an application with all of the required parts like libraries and other dependencies and deliver it as one package.

In order to avoid the newly detected vulnerability, Mursch recommends that users who run Docker instances immediately check if they are exposing their API endpoints on the internet, close the ports, and terminate unrecognized running containers.

On Nov. 25, major crypto exchange BitBay announced that the platform will delist Monero due to money laundering concerns. BitBay follows other exchanges like OKEx, who have delisted the cryptocurrency in order to remain compliant with guidelines set by the Financial Action Task Force.

Tags
Related Posts
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
French Police Shut Down 850,000 Computer Botnet Used for Cryptojacking
French police have shut down a massive botnet that has been used for Monero (XMR) cryptojacking. Cryptojacking backed by “massive firepower” BBC News reported the development on Aug. 27. According to the police, the botnet was distributed by sending virus-laden emails with offers for erotic pictures or fast cash, and further propogated through infected USB drives. The virus, called Retadup, ultimately infected 850,000 computers in over 100 countries — thus creating a massive botnet. The chief of C3N — the French police’s cybercrime unit — Jean-Dominique Nollet spoke on France Inter radio about the power of a botnet this size, …
United States / Aug. 28, 2019
Researchers Find Monero Mining Malware That Hides From Task Manager
Cybersecurity company Varonis has discovered a new cryptojacking virus, dubbed “Norman,” that aims to mine the cryptocurrency Monero (XMR) and evade detection. Varonis published a report about Norman on Aug.14. According to the report, Varonis found Norman as one of many cryptojacking viruses deployed in an attack that infected machines at a mid-size company. Hackers and cybercriminals deploy cryptojacking hardware to use the computing power of unsuspecting users’ machines to mine cryptocurrencies like the privacy oriented coin Monero. Norman in particular is a crypto miner based on XMRig, which is described in the report as a high-performance miner for Monero …
Altcoin / Aug. 14, 2019
Trend Micro: Outlaw Hacking Group’s Botnet Is Now Spreading a Monero Miner
Cybersecurity company Trend Micro claims to have detected a web address spreading a botnet featuring a monero (XMR) mining component alongside a backdoor. The malware was described on Trend Micro’s official blog on June 13. Per the report, the firm attributes the malware to Outlaw Hacking Group, as the techniques employed are almost the same used in its previous operations. The software in question also holds Distributed Denial of Service (DDoS) capabilities, “allowing the cybercriminals to monetize their botnet through cryptocurrency mining and by offering DDoS-for-hire services.” Trend Micro also believes that the creators of the malware in question are …
Altcoin / June 13, 2019
Malware Shellbot is Now Capable of Shutting Down Other Miners
The Shellbot cryptojacking malware has gone through an update and come out with some new capabilities, technology news website TechCrunch reported on May 1. Per the report, these findings come from Boston-based cybersecurity firm Threat Stack. The company claims that Shellbot, which was first discovered in 2005, has received a major update. The original Shellbot was capable of brute-forcing the credentials of SSH remote access services on Linux servers protected by weak passwords. The malware then mines privacy-focused monero (XMR). Threat Stack claims that this new-and-improved version is capable of spreading through an infected network and shutting down other miners …
Blockchain / May 1, 2019