Man
Professional
- Messages
- 3,060
- Reaction score
- 585
- Points
- 113
Stealth scripts get to the heart of your infrastructure.
Researchers from Datadog have identified a new cryptojacking campaign targeting the Docker Engine API, which aims to connect containers to the attack-controlled Docker Swarm. This campaign allows the attackers to exploit Docker Swarm's orchestration features as a command and control mechanism.
During the attacks, attackers gain initial access through Docker to install a cryptocurrency miner on compromised containers, as well as download additional scripts that provide the ability to move laterally across the network to hosts with Docker, Kubernetes, or SSH. Vulnerabilities are identified using internet scanning tools such as masscan and ZGrab.
On vulnerable Docker API access points, the Alpine container is launched, after which the "init.sh" script is downloaded from the remote server "solscan[.] live». The script checks for root and curl and wget tools, and then installs the XMRig miner. To hide the mining process, the libprocesshider rootkit is used, making it difficult to detect through system commands.
In addition, the init.sh script downloads three other scripts — kube.lateral.sh, «spread_docker_local.sh, and «spread_ssh.sh" — that allow attackers to navigate Docker, Kubernetes, and SSH on the network. For example, «spread_docker_local.sh scans the local network for open ports associated with Docker Engine and Docker Swarm, and when open ports are detected, runs an upspin image-based container from Docker Hub to distribute malicious code to other Docker hosts.
Interestingly, the Docker upspin image is listed in a text file on the C2 server, which makes it easy for attackers to modify it in case of blocking, pointing to another container. The «spread_ssh.sh script is capable of hacking into SSH servers, adding an SSH key, and creating a user named "ftp" to maintain persistent access.
The last stage of the attack is to run the «setup_mr.sh" script, which retrieves and activates the cryptocurrency miner. In addition, additional scripts such as "ar.sh", "TDGINIT.sh" and "pdflushs.sh" have been found on the C2 server that modify iptables rules, download scanning tools, install a backdoor, and change the configuration of Docker Swarm to expand control over Docker hosts.
The campaign is associated with the well-known TeamTNT group, which has previously used similar tactics. Experts warn that such cryptojacking attacks on Docker and Kubernetes remain popular due to high profits and the possibility of rapid automation, which motivates attackers to continue carrying them out.
As previously reported, Elastic Security Labs uncovered a campaign using sophisticated Linux malware targeting vulnerable Apache servers. During the attack, the attackers establish permanent access through GSocket and deploy malware families such as Kaiji and RUDEDEVIL to carry out DDoS attacks and mine cryptocurrencies.
Source
Researchers from Datadog have identified a new cryptojacking campaign targeting the Docker Engine API, which aims to connect containers to the attack-controlled Docker Swarm. This campaign allows the attackers to exploit Docker Swarm's orchestration features as a command and control mechanism.
During the attacks, attackers gain initial access through Docker to install a cryptocurrency miner on compromised containers, as well as download additional scripts that provide the ability to move laterally across the network to hosts with Docker, Kubernetes, or SSH. Vulnerabilities are identified using internet scanning tools such as masscan and ZGrab.
On vulnerable Docker API access points, the Alpine container is launched, after which the "init.sh" script is downloaded from the remote server "solscan[.] live». The script checks for root and curl and wget tools, and then installs the XMRig miner. To hide the mining process, the libprocesshider rootkit is used, making it difficult to detect through system commands.
In addition, the init.sh script downloads three other scripts — kube.lateral.sh, «spread_docker_local.sh, and «spread_ssh.sh" — that allow attackers to navigate Docker, Kubernetes, and SSH on the network. For example, «spread_docker_local.sh scans the local network for open ports associated with Docker Engine and Docker Swarm, and when open ports are detected, runs an upspin image-based container from Docker Hub to distribute malicious code to other Docker hosts.
Interestingly, the Docker upspin image is listed in a text file on the C2 server, which makes it easy for attackers to modify it in case of blocking, pointing to another container. The «spread_ssh.sh script is capable of hacking into SSH servers, adding an SSH key, and creating a user named "ftp" to maintain persistent access.
The last stage of the attack is to run the «setup_mr.sh" script, which retrieves and activates the cryptocurrency miner. In addition, additional scripts such as "ar.sh", "TDGINIT.sh" and "pdflushs.sh" have been found on the C2 server that modify iptables rules, download scanning tools, install a backdoor, and change the configuration of Docker Swarm to expand control over Docker hosts.
The campaign is associated with the well-known TeamTNT group, which has previously used similar tactics. Experts warn that such cryptojacking attacks on Docker and Kubernetes remain popular due to high profits and the possibility of rapid automation, which motivates attackers to continue carrying them out.
As previously reported, Elastic Security Labs uncovered a campaign using sophisticated Linux malware targeting vulnerable Apache servers. During the attack, the attackers establish permanent access through GSocket and deploy malware families such as Kaiji and RUDEDEVIL to carry out DDoS attacks and mine cryptocurrencies.
Source
