October 1, 2024 at 01:27AM
Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API, enabling attackers to co-opt instances into a malicious Docker Swarm. The attacks leverage Docker for access, spawning a cryptocurrency miner, and orchestrating lateral movement to related hosts. The campaign also demonstrates the use of evolving malware and stealthy communication channels.
Based on the meeting notes, the cybersecurity researchers uncovered a new cryptojacking campaign targeting the Docker Engine API with the aim of co-opting instances to join a malicious Docker Swarm controlled by the threat actor. The attackers exploited Docker’s features for command-and-control purposes and used Docker for initial access to deploy a cryptocurrency miner on compromised containers. Additionally, the attack involved lateral movement to related hosts running Docker, Kubernetes, or SSH by identifying unauthenticated and exposed Docker API endpoints and scanning LAN ranges for open ports. The attackers also utilized a rootkit to hide the malicious miner process and executed various scripts for lateral movement and creating persistent backdoors. Notably, the attack campaign exhibits similarities to the tactics of a known threat group known as TeamTNT, highlighting the ongoing security risks associated with Docker and Kubernetes services.
Furthermore, the meeting notes referenced another sophisticated Linux malware campaign targeting vulnerable Apache servers, named the REF6138 campaign, which involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs. The attackers utilized stealthy communication channels and evolved malware families such as Kaiji and RUDEDEVIL (Lucifer) to establish persistence and carry out malicious activities.
The meeting notes also emphasized the need for vigilance in monitoring and securing cloud services like Docker and Kubernetes, given the potential for rapid propagation of malware and the motivation of threat actors to conduct these attacks. These incidents underscore the evolving nature of cybersecurity threats and the importance of staying informed about such developments.
Please let me know if you need further details or specific information from the meeting notes.