June 7, 2024 at 01:48AM
Commando Cat, a threat actor, is behind a cryptojacking campaign leveraging poorly secured Docker instances to deploy cryptocurrency miners. The attacks involve targeting misconfigured Docker remote API servers and using Docker images to deploy cryptojacking scripts, evading detection by security software. Additionally, Chinese-speaking threat actors exploit ThinkPHP applications to deliver a web shell for advanced victim control.
Key Takeaways from the Meeting Notes:
1. Commando Cat, a threat actor, has been associated with an ongoing cryptojacking attack campaign that exploits vulnerabilities in Docker instances to deploy cryptocurrency miners for financial gain. This tactic allows attackers to exploit Docker configuration vulnerabilities while evading detection by security software.
2. The attacks involving Commando Cat are notable for targeting misconfigured Docker remote API servers to deploy a Docker image named “cmd.cat/chattr,” breaking out of its confines, and gaining access to the host operating system to retrieve the malicious miner binary. The binary, suspected to be ZiggyStarTux, is based on the Kaiten (aka Tsunami) malware.
3. Akamai researchers disclosed that security flaws in ThinkPHP applications, such as CVE-2018-20062 and CVE-2019-9082, are being exploited by a suspected Chinese-speaking threat actor. This exploit delivers a web shell called Dama, equipped with advanced capabilities for system data gathering, file uploading, network port scanning, privilege escalation, and file system navigation.
4. The use of a fully-fledged web shell by the Chinese-speaking adversary emphasizes an ongoing trend of attackers utilizing advanced victim control mechanisms.
5. Importantly, the attacks may be indiscriminately targeting a broad range of systems, as not all targeted customers were using ThinkPHP, as suggested by Akamai researchers.
The meeting notes highlight the evolving landscape of cybersecurity threats, particularly in relation to cryptojacking and web shell exploitation.