November 14, 2023 at 07:33AM
Threat actors are targeting publicly-accessible Docker Engine API instances to create a DDoS botnet called OracleIV. Attackers exploit the misconfiguration to install a malicious Docker container, which contains Python malware. The container also retrieves a shell script from a command-and-control (C&C) server. Cloud security firm Cado observed no evidence of cryptocurrency mining by the counterfeit container. Docker instances and vulnerable MySQL servers have become popular attack targets for DDoS botnets. Other new DDoS botnets, such as hailBot, kiraiBot, and catDDoS, have emerged based on the leaked Mirai source code. Another resurfaced DDoS malware is XorDdos, which infects Linux devices for subsequent attacks.
Key Takeaways:
1. Threat actors are targeting publicly-accessible Docker Engine API instances to create a distributed denial-of-service (DDoS) botnet called OracleIV. Attackers exploit misconfigurations to deliver a malicious Docker container, which includes Python malware and an XMRig miner.
2. Exposed Docker instances have become a popular target for cryptojacking campaigns, allowing attackers to easily launch containers from malicious images hosted on Docker Hub.
3. Vulnerable MySQL servers are also targeted by a DDoS botnet malware known as Ddostf. The malware can connect to a new C&C server and execute commands, allowing the threat actor to sell DDoS attacks as a service.
4. Several new DDoS botnets, such as hailBot, kiraiBot, and catDDoS, based on the leaked Mirai source code, have emerged with advanced encryption algorithms and covert communication methods.
5. XorDdos is a Linux-based malware that infects devices and transforms them into zombies for subsequent DDoS attacks. The campaign started in late July 2023 and peaked around August 12, 2023.
Note: These takeaways summarize the main points from the meeting notes.