Subj : Misconfigured Docker inst
To   : All
From : Mike Powell
Date : Thu May 29 2025 07:57 am

Misconfigured Docker instances are being hacked to mine cryptocurrency

Date:
Wed, 28 May 2025 14:25:00 +0000

Description:
A worm is spreading the miner autonomously, earning attackers plenty of Dero.

FULL STORY

Hackers are building a botnet out of misconfigured Docker API instances and
using it to mine the Dero cryptocurrency, experts have warned.

Security researchers from Kaspersky reported finding a container zombie
outbreak that started with an exposed Docker API.

This led to the running containers being compromised and new ones being
created not only to hijack the victims resources for cryptocurrency mining
but also to launch external attacks to propagate to other networks, they
explained.

In this zombie outbreak, the patient zero is a misconfigured API thats left
open to the internet. There, the attackers deploy a piece of malware
disguised as nginx, a high-performance, open-source web server and reverse
proxy server.

The malware scans for vulnerable instances and infects them, and then creates
new malicious containers and forces existing ones to mine Dero. At the same
time, it continues to spread to other systems.

This is a two-step process, Kaspersky explains. Nginx is the propagation tool
that scans for new victims, with the miner being a cloud-based solution. Both
components are written in Golang, which makes them rather difficult to
detect.

Kaspersky also says that unlike traditional cryptojacking campaigns, this one
doesnt rely on a command & control (C2) server, but instead spreads
autonomously, like a worm.

Users running Docker should check their API settings, and make sure its not
exposed to the internet. Furthermore, they should fortify their login
credentials, and perform regular security audits and monitoring.

While cybercriminals usually hijack servers to mine Monero with the XMRig,
this is not the first time researchers spotted Dero. According to The Hacker
News , CrowdStrike saw Kubernetes clusters being targeted back in March 2023,
and a subsequent iteration of the same campaign was spotted by Wiz in June
2024.

Similar to Monero, Dero is also a privacy-focused Layer 1 blockchain, built
to support decentralized applications (dApps) and smart contracts.

Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/misconfigured-docker-instances-are-bein
g-hacked-to-mine-cryptocurrency

$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.