7 April 2020

Bitcoin mining campaign targets thousands of Docker servers


Bitcoin mining campaign targets thousands of Docker servers

For the past few months an organized, self-propagating cryptomining campaign has been targeting misconfigured open Docker Daemon API ports, with thousands of attempts taking place nearly on a daily basis, researchers from Aqua Security warn.

The attackers scan the internet for exposed misconfigured Docker API ports and then exploit these open ports to run an Ubuntu container and deploy the Kinsing malware, which, in turn, downloads and runs a cryptominer.

The Kinsing miner is a Golang-based Linux agent that uses several Go libraries, including:

  • go-resty – an HTTP and REST client library, used to communicate with a command and control (C&C) server.

  • gopsutil – a process utility library, used for system and processes monitoring.

  • osext – extension to the standard ‘os’ package, used to execute binaries.

  • diskv – A disk-backed key-value store, for storage.

Before the malware proceeds to deploy its payload, it attempts to connect with servers in Eastern Europe, the researchers say.

The malware downloads the spre.sh shell script used to laterally spread the malware across the container network. The shell script is also able to perform several actions such as removing other malware running on the same Docker instance, collecting local SSH credentials in an attempt to perform lateral movements in the container network, disabling security measures and clear logs, infecting other cloud systems with the same piece of malware.

At the last stage of the attack the malware runs a cryptominer called kdevtmpfsi, which is a Bitcoin miner. The cryptominer connects to a host with the 193.33.87.219 IP address using a log in request over HTTP, receives further instructions, and starts mining cryptocurrency.

“This attack stands out as yet another example of the growing threat to cloud native environments. With deployments becoming larger and container use on the rise, attackers are upping their game and mounting more ambitious attacks, with an increasing level of sophistication,” the researchers conclude.

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024