Exposed Docker APIs have again been used by attackers to create new containers that perform cryptojacking or illicit coin mining, following a similar incident from earlier this year. The containers are essentially packages that contain an application and all the dependencies that are required to run it, which can be deployed to Docker and Kubernetes systems as needed. This is done via a platform called Docker Engine, where containers will run in the background. However, if Docker Engine is not properly secured, attackers would be allowed to remotely utilise the Docker Engine API to deploy their own containers and use launch them on the insecure system. One such attacker has recently been spotted scanning for exposed Docker Engine APIs and using them to deploy containers that download and execute a coin miner. “We recently observed cases of abuse of the systems running misconfigured Docker Engine-Community with Docker application program interface (API) ports exposed,” states an analysis, published by Trend Micro. “The intrusion attempts to deploy a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.SH.MALXMR.ATNE) on the misconfigured systems.”
Weekend Read: DORA preparation pressure grows
May 17, 2024
