- If your AI-generated code becomes faulty, who faces the most liability exposure?
- These discoutned earbuds deliver audio so high quality, you'll forget they're mid-range
- This Galaxy Watch is one of my top smartwatches for 2024 and it's received a huge discount
- One of my favorite Android smartwatches isn't from Google or OnePlus (and it's on sale)
- The Urgent Need for Data Minimization Standards
Crypto-Mining Botnet Goes After Misconfigured Docker APIs
A notorious cryptocurrency mining botnet has begun targeting misconfigured Docker APIs, according to CrowdStrike.
LemonDuck has been observed exploiting ProxyLogon vulnerabilities in Microsoft Exchange Server and using EternalBlue and other exploits to mine cryptocurrency, escalate privileges and move laterally inside compromised networks.
Now its attention has turned to one of the world’s most popular containerization platforms.
The botnet is targeting exposed Docker APIs in order to gain initial access, CrowdStrike explained.
“It runs a malicious container on an exposed Docker API by using a custom Docker Entrypoint to download a ‘core.png’ image file that is disguised as Bash script,” it said in a blog post yesterday.
Before the payload – an “a.asp” file – is downloaded and mining can begin, it performs several actions, including killing the processes, IOC file paths and C&C connections of competing crypto-mining groups.
The a.asp file also has the capability to switch off Alibaba’s cloud monitoring service in order to fly under the radar of network defenders.
LemonDuck attempts to move laterally by searching for SSH keys on a filesystem, using them to log into additional servers and run its malicious scripts.
The researchers also found multiple campaigns running from many of the C&C servers associated with LemonDuck, including ones targeting Windows and Linux machines.
“Due to the cryptocurrency boom in recent years, combined with cloud and container adoption in enterprises, cryptomining is proven to be a monetarily attractive option for attackers,” CrowdStrike concluded.
“Since cloud and container ecosystems heavily use Linux, it drew the attention of the operators of botnets like LemonDuck, which started targeting Docker for cryptomining on the Linux platform.”
The campaign highlights the need for administrators to ensure their container environments are correctly configured according to industry best practices, and ideally with cloud workload security and detection and response tools installed.
