A malicious actor exploiting exposed Docker APIs has developed sophisticated tooling that can build a botnet and execute complex persistence mechanisms. This evolving threat combines container hijacking, lateral movement, and potential future capabilities such as credential theft and DDoS attacks. #DockerAPI #Botnet #Akamai #TrendMicro
Keypoints
- The threat actor exploits exposed Docker API ports to deploy malicious containers.
- The malware uses Tor network for proxying and downloading second-stage payloads secretly.
- Persistent access is gained by modifying the hostβs SSH authorized keys and setting up cron jobs to block API access.
- The malware contains self-replication features to infect additional Docker environments autonomously.
- Additional potential exploitation vectors include Telnet and Chrome remote debugging interfaces for future attacks.