Hackers have been spotted using the Docker Engine API to target various containers with cryptojackers and other malware.
Cybersecurity researchers at Datadog, who recently observed such a campaign and reported on it in an in-depth analysis, noted that the criminals first looked for Internet-exposed Docker Engine APIs that were not password protected, using various internet scanning tools.
They then used the Docker API to spawn an Alpine container and mount the underlying host’s filesystem into the container. The next step is to run a shell command to retrieve an initialization script that effectively starts the infection chain.
No evidence of abuse
The Docker Engine API is a Docker-provided interface that allows developers and systems to programmatically interact with the Docker daemon. The API allows users to manage and monitor Docker containers, networks, and images, all via HTTP requests.
The chain starts with data transfer tools that in turn deploy XMRig. This is a popular cryptojacker, a tool that uses the computing power of the compromised device to generate cryptocurrency tokens and send them to the attacker’s wallet address.
The attackers then deploy a few scripts to hide the presence of XMRig and then go for additional payloads that allow them to move laterally. Other Docker Swarm, Kubernetes, and SSH servers are targeted and eventually included in an actor-controlled Docker Cluster.
The cluster allows the crooks to use Docker Swarm’s orchestration features for command and control tasks.
At the time of writing, researchers have not yet identified the group behind this campaign. The tactics, techniques and procedures (TTP) of this campaign overlap with those commonly used by TeamTNT, they suggested.
“This campaign shows that services like Docker and Kubernetes remain fertile for threat actors conducting cryptojacking at scale,” Datadog said, before adding that as long as these APIs remain online without proper protection, they will be considered “low-hanging fruit” . crooks.
Via The hacker news