Hackers Targeting Docker Servers for Cryptocurrency Mining Malware

Security researchers have uncovered a widespread campaign by hackers to compromise Docker servers through exposed APIs, with the goal of spreading cryptocurrency mining malware. Aqua Security has been monitoring this organized attack for several months, noting thousands of attempts to exploit misconfigured Docker Daemon API ports on a daily basis.

How the Attack Works

In this attack, hackers exploit a misconfigured Docker API port to deploy an Ubuntu container containing the kinsing malware. This malicious software is designed to run a cryptominer and propagate itself to other containers and hosts within the network. The Ubuntu container is specifically crafted to disable security measures, erase logs, terminate competing malware, and download the kinsing malware for cryptocurrency mining.

Once the kinsing malware is downloaded, it establishes connections with command and control servers in Eastern Europe. Different servers are used for various functions, and the malware attempts to move laterally across the container network by harvesting and utilizing SSH credentials.

The kdevtmpfsi cryptominer utilized in this attack is tailored to mine for Bitcoin, further incentivizing hackers to compromise Docker servers for financial gain.

Protecting Against Docker Server Attacks

DevSecOps teams are advised to enhance their security measures by implementing least privilege access policies, conducting image scans, monitoring user behavior for anomalies, and investing in cloud security tools to enforce policies effectively. With containers becoming a primary target for cyber threats, proactive security measures are essential to safeguarding Docker servers.

While user error is a common factor in misconfigured containers, security incidents can also stem from vulnerabilities in container platforms. In a notable incident in April 2019, Docker Hub experienced unauthorized access affecting 190,000 accounts, highlighting the importance of securing container repositories.

As the threat landscape continues to evolve, organizations must prioritize container security to mitigate the risk of cryptocurrency mining malware and other cyber threats targeting Docker servers.