- Security researchers spot new campaign targeting Docker instances
- The attack deploys a cloud crypto miner, and a worm for further propagation
- The miner generates the Dero currency
Hackers are building a botnet out of misconfigured Docker API instances and using it to mine the Dero cryptocurrency, experts have warned.
Security researchers from Kaspersky reported finding a “container zombie outbreak” that started with an exposed Docker API.
“This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks,” they explained.
Negotiations ongoing?
In this zombie outbreak, the “patient zero” is a misconfigured API that’s left open to the internet. There, the attackers deploy a piece of malware disguised as ‘nginx’, a high-performance, open-source web server and reverse proxy server.
The malware scans for vulnerable instances and infects them, and then creates new malicious containers and forces existing ones to mine Dero. At the same time, it continues to spread to other systems.
This is a two-step process, Kaspersky explains. Nginx is the propagation tool that scans for new victims, with the miner being a cloud-based solution. Both components are written in Golang, which makes them rather difficult to detect.
Kaspersky also says that unlike traditional cryptojacking campaigns, this one doesn’t rely on a command & control (C2) server, but instead spreads autonomously, like a worm.
Users running Docker should check their API settings, and make sure it’s not exposed to the internet. Furthermore, they should fortify their login credentials, and perform regular security audits and monitoring.
While cybercriminals usually hijack servers to mine Monero with the XMRig, this is not the first time researchers spotted Dero. According to The Hacker News, CrowdStrike saw Kubernetes clusters being targeted back in March 2023, and a subsequent iteration of the same campaign was spotted by Wiz in June 2024.
Similar to Monero, Dero is also a privacy-focused Layer 1 blockchain, built to support decentralized applications (dApps) and smart contracts.
Via The Hacker News