A notorious cryptocurrency mining botnet has begun focusing on misconfigured Docker APIs, according to CrowdStrike.
LemonDuck has been noticed exploiting ProxyLogon vulnerabilities in Microsoft Trade Server and employing EternalBlue and other exploits to mine cryptocurrency, escalate privileges and move laterally inside of compromised networks.
Now its notice has turned to a single of the world’s most preferred containerization platforms.
The botnet is concentrating on uncovered Docker APIs in purchase to gain preliminary obtain, CrowdStrike defined.
“It runs a destructive container on an exposed Docker API by using a customized Docker Entrypoint to down load a ‘core.png’ impression file that is disguised as Bash script,” it said in a site write-up yesterday.
Just before the payload – an “a.asp” file – is downloaded and mining can begin, it performs a number of steps, like killing the procedures, IOC file paths and C&C connections of competing crypto-mining groups.
The a.asp file also has the functionality to change off Alibaba’s cloud checking provider in buy to fly below the radar of network defenders.
LemonDuck tries to shift laterally by hunting for SSH keys on a filesystem, applying them to log into further servers and operate its malicious scripts.
The researchers also observed numerous strategies running from numerous of the C&C servers associated with LemonDuck, including types concentrating on Windows and Linux machines.
“Due to the cryptocurrency boom in modern several years, put together with cloud and container adoption in enterprises, cryptomining is confirmed to be a monetarily beautiful option for attackers,” CrowdStrike concluded.
“Since cloud and container ecosystems intensely use Linux, it drew the notice of the operators of botnets like LemonDuck, which began focusing on Docker for cryptomining on the Linux platform.”
The campaign highlights the want for directors to be certain their container environments are properly configured in accordance to industry most effective practices, and preferably with cloud workload security and detection and response instruments put in.
Some pieces of this short article are sourced from: