1. Forum
  2. FidoNet
  3. CONSPRCY

  • Misconfigured Docker inst

    From Mike Powell@1:2320/105 to All on Thu May 29 07:57:00 2025
    Misconfigured Docker instances are being hacked to mine cryptocurrency

    Date:
    Wed, 28 May 2025 14:25:00 +0000

    Description:
    A worm is spreading the miner autonomously, earning attackers plenty of Dero.

    FULL STORY

    Hackers are building a botnet out of misconfigured Docker API instances and using it to mine the Dero cryptocurrency, experts have warned.

    Security researchers from Kaspersky reported finding a container zombie outbreak that started with an exposed Docker API.

    This led to the running containers being compromised and new ones being
    created not only to hijack the victims resources for cryptocurrency mining
    but also to launch external attacks to propagate to other networks, they explained.

    In this zombie outbreak, the patient zero is a misconfigured API thats left open to the internet. There, the attackers deploy a piece of malware
    disguised as nginx, a high-performance, open-source web server and reverse proxy server.

    The malware scans for vulnerable instances and infects them, and then creates new malicious containers and forces existing ones to mine Dero. At the same time, it continues to spread to other systems.

    This is a two-step process, Kaspersky explains. Nginx is the propagation tool that scans for new victims, with the miner being a cloud-based solution. Both components are written in Golang, which makes them rather difficult to
    detect.

    Kaspersky also says that unlike traditional cryptojacking campaigns, this one doesnt rely on a command & control (C2) server, but instead spreads autonomously, like a worm.

    Users running Docker should check their API settings, and make sure its not exposed to the internet. Furthermore, they should fortify their login credentials, and perform regular security audits and monitoring.

    While cybercriminals usually hijack servers to mine Monero with the XMRig,
    this is not the first time researchers spotted Dero. According to The Hacker News , CrowdStrike saw Kubernetes clusters being targeted back in March 2023, and a subsequent iteration of the same campaign was spotted by Wiz in June 2024.

    Similar to Monero, Dero is also a privacy-focused Layer 1 blockchain, built
    to support decentralized applications (dApps) and smart contracts.

    Via The Hacker News

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/misconfigured-docker-instances-are-bein g-hacked-to-mine-cryptocurrency

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)