Docker servers hacked in ongoing cryptomining malware campaign

Docker APIs on Linux servers are getting specific by a substantial-scale Monero crypto-mining campaign from the operators of the Lemon_Duck botnet.

Cryptomining gangs are a constant risk to poorly secured or misconfigured Docker units, with multiple mass-exploitation strategies noted in new decades.

LemonDuck, in individual, was previously focusing on exploiting vulnerable Microsoft Trade servers, and prior to that it targeted Linux equipment via SSH brute drive attacks, Windows units susceptible to SMBGhost, and servers jogging Redis and Hadoop cases.

In accordance to a Crowdstrike report printed right now, the risk actor powering the ongoing Lemon_Duck marketing campaign is hiding their wallets behind proxy pools.

Marketing campaign aspects

Lemon_Duck gains entry to uncovered Docker APIs and runs a malicious container to fetch a Bash script disguised as a PNG graphic.

The payload generates a cronjob in the container to down load a Bash file (a.asp) that performs the subsequent steps:

• Kill procedures based on names of identified mining swimming pools, competing cryptomining teams, and so on.
• Destroy daemons like crond, sshd and syslog.
• Delete acknowledged indicator of compromise (IOC) file paths.
• Get rid of network connections to C2s regarded to belong to competing cryptomining teams.
• Disable Alibaba Cloud’s checking service that guards occasions from risky pursuits.

Disabling safety characteristics in Alibaba Cloud expert services was formerly observed in cryptomining malware in November 2021, used by not known actors.

After jogging the actions higher than, the Bash script downloads and operates the cryptomining utility XMRig along with a configuration file that hides the actor’s wallets driving proxy pools.

Immediately after the originally infected machine has been set up to mine, Lemon_Duck tries lateral motion by leveraging SSH keys observed on the filesystem. If those are available, the attacker works by using them to repeat the very same infection process.

Trying to keep Docker threats in check out

Parallel to this campaign, Cisco Talos studies about a different a person attributed to TeamTNT, that also targets exposed Docker API circumstances on Amazon Web Services.

That threat team is also trying to disable cloud safety solutions to evade detection and continue on to mine Monero, Bitcoin, and Ether for as lengthy as possible.

It is apparent that the have to have to configure Docker API deployments securely is very important, and admins can start out by checking the platform’s most effective techniques and security recommendations towards their configuration.

In addition, established resource intake constraints on all containers, impose rigorous image authentication guidelines and enforce the ideas of least privilege.