Docker API servers are being hit to spread cryptomining malware
Hackers are targeting vulnerable Docker remote API servers and using them to mine cryptocurrencies on the underlying hardware, experts warn.
Cybersecurity researchers at Trend Micro stated that the crooks took an “unconventional approach” with this attack, noting that “the threat actor used the gRPC protocol over h2c to bypass security solutions and conduct their crypto mining operations on the Docker host .”
“The attacker first checked the availability and version of the Docker API and then proceeded to request gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities.”
Which tokens do they mine?
The experts explained that the crooks would first look for public Docker API hosts where the HTTP/2 protocol can be upgraded. They then sent a request to upgrade to the h2c protocol, which allowed them to create a container upon completion. That container is ultimately used to mine cryptocurrencies for the attackers, via the SRBMiner payload, hosted on GitHub.
The researchers added that the crooks used SRBMiner to mine the XRP token, which comes from the Ripple blockchain built by the company of the same name. However, XRP is a minted token that cannot be mined. We’ve asked Trend Micro for clarification.
SRBMiner uses algorithms such as RandomX and KawPow for mining. It can generate a number of different tokens for its operators, but not XRP. Available tokens include Monero, Ravencoin, Haven Protocol, Wowero and Firo.
It’s safe to assume that the crooks were actually mining Monero, one of the most popular tokens among cybercriminals, given its advanced privacy and anonymity features. Monero is also commonly mined via the XMRig cryptojacker, and its ticker is XRM, quite close to XRP.
Trend Micro warned all users to secure their remote Docker API servers by implementing stronger access controls and authentication mechanisms, blocking access to unauthenticated individuals. Additionally, users are advised to monitor the servers for unusual activity and implement container security best practices.
Via The hacker news