Recommended reading

Misconfigured Docker instances are being hacked to mine cryptocurrency

News
By published

A worm is spreading the miner autonomously

Crypto mining
Kryptovaluuttojen louhinta on tehokkainta oikeilla komponenteilla. (Image credit: Shutterstock / Yevhen Vitte)
  • Security researchers spot new campaign targeting Docker instances
  • The attack deploys a cloud crypto miner, and a worm for further propagation
  • The miner generates the Dero currency

Hackers are building a botnet out of misconfigured Docker API instances and using it to mine the Dero cryptocurrency, experts have warned.

Security researchers from Kaspersky reported finding a “container zombie outbreak” that started with an exposed Docker API.

“This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks,” they explained.

Negotiations ongoing?

In this zombie outbreak, the “patient zero” is a misconfigured API that’s left open to the internet. There, the attackers deploy a piece of malware disguised as ‘nginx’, a high-performance, open-source web server and reverse proxy server.

The malware scans for vulnerable instances and infects them, and then creates new malicious containers and forces existing ones to mine Dero. At the same time, it continues to spread to other systems.

This is a two-step process, Kaspersky explains. Nginx is the propagation tool that scans for new victims, with the miner being a cloud-based solution. Both components are written in Golang, which makes them rather difficult to detect.

Kaspersky also says that unlike traditional cryptojacking campaigns, this one doesn’t rely on a command & control (C2) server, but instead spreads autonomously, like a worm.

Users running Docker should check their API settings, and make sure it’s not exposed to the internet. Furthermore, they should fortify their login credentials, and perform regular security audits and monitoring.

While cybercriminals usually hijack servers to mine Monero with the XMRig, this is not the first time researchers spotted Dero. According to The Hacker News, CrowdStrike saw Kubernetes clusters being targeted back in March 2023, and a subsequent iteration of the same campaign was spotted by Wiz in June 2024.

Similar to Monero, Dero is also a privacy-focused Layer 1 blockchain, built to support decentralized applications (dApps) and smart contracts.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.