18 June 2024

Attackers use new tactics in campaign targeting exposed Docker APIs


Attackers use new tactics in campaign targeting exposed Docker APIs

Cybersecurity researchers have uncovered a sophisticated malware campaign targeting publicly exposed Docker API endpoints, aiming to deploy cryptocurrency miners and other malicious payloads.

The new campaign, detailed by cloud analytics platform Datadog, bears similarities to another operation named “Spinning YARN” detected in March 2024 by cybersecurity firm Cado Security. The campaign targets misconfigured services like Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis for cryptojacking.

The current wave focuses on Docker servers with exposed port 2375, initiating a multi-step process from reconnaissance to privilege escalation and exploitation.

Attackers start by scanning the internet for Docker hosts with port 2375 open. Once a potential target is identified, they use common Docker reconnaissance techniques, including querying the Docker host version through an HTTP GET request to the /v1.16/version endpoint to confirm the Docker host’s responsiveness.

The threat actors then attempt to spawn an Alpine Linux container. They utilize Docker’s Binds parameter to bind the Docker host's root directory into the container and escalate privileges by accessing the host’s underlying filesystem through the /mnt directory within the container.

In the container, the attackers execute a shell command using the Linux chroot utility, setting the root of subsequent processes to the /mnt directory. They then ensure persistent execution by fetching a second-stage payload using the vurl executable.

The second stage involves deploying two shell scripts that download and execute the attacker's payload, including the XMRig miner for cryptojacking. After successfully launching the XMRig miner on compromised hosts, attackers deploy a new payload, named ‘exeremo’, which facilitates lateral movement to additional hosts.

“Although the likely objective of this campaign is to deploy an XMRig miner to compromised hosts, the attackers also ensured that they maintain access to victim machines via SSH. Maintaining remote code execution to victim hosts could mean that attackers can leverage their access for additional objectives,” the researchers noted.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024