Crypto-mining malware daemons exploit insecure Docker installations with botnets

[ad_2][ad_1]

John Leyden December 2, 2020 at 4:50 pm UTC

Updated: 02 December 2020 at 17:19 UTC

There is something bad about that container

Cybercriminals have been caught exploiting improperly configured Docker installations to spread encryption malware.

Cisco Talos researchers identified the tactic after a cryptocurrency mining botnet went astray on a honeypot system set up to monitor Docker-related threats.

The so-called Xanthe botnet targets Linux-based systems, press ganging the compromised assets to mine the Monero cryptocurrency for attackers instead of the normal workload of an installation.

“The [threat] actor uses various methods to disseminate over the network, such as collecting client-side certificates for dissemination to known hosts using SSH, or dissemination to systems with an incorrectly configured Docker API, “according to a Cisco Talos threat article.

According to Cisco Talos, the Xanthe botnet has been active since March without having been previously documented.

The botnet’s main payload is a variant of the XMRig Monero mining malware. Companion packages serve to protect tenancy or persistence on compromised systems.

“Two additional bash scripts terminate security services, removing concurrency botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts,” according to Cisco Talos.

More curious and more privateer …

Vanja Svajcer, security researcher at Cisco Talos and co-author of her blog post documenting the discovery, described the threat as “a bit of curiosity.”

“If you’re looking to build a mining botnet, you want to do the numbers and there aren’t many Docker installations out there – 6k or so according to Shodan,” Svajcer said. The Daily Swig. “They won’t be protected like standard endpoints, so they may go undetected for longer.”

Other security experts have said the threat has implications beyond unsafe Docker installations.

“We have already seen this with public repositories such as node, Ruby and Python,” said infosec professional Ed Daniel. “This is no different, without rigorous controls this is an excellent way to cause havoc.”

RELATED Network hacking and ransomware fuel the wave of global cybercrime

[ad_2]Source link