Docker API Targeted by New Cryptojacking Attack that Creates a Swarm Botnet

• The Docker Engine API is abused to deploy a cryptocurrency miner on compromised containers.
• Exposed Docker API endpoints without authentication are a big part of the infection chain.
• The TTPs used by the hackers in this cryptojacking campaign are believed to overlap with TeamTNT.

A new cryptojacking campaign exploiting the Docker Engine API to commandeer instances for a malicious Docker Swarm was documented by cybersecurity researchers. This attack enables threat actors to leverage Docker Swarm's orchestration features for command-and-control (C2) purposes.

The campaign utilizes unauthenticated and exposed Docker API endpoints, scanning them with tools like masscan and ZGrab. Upon finding vulnerable endpoints, the attackers spawn an Alpine container to retrieve an initialization script (init.sh) from a remote server. 

This script checks system configurations before downloading the XMRig miner and other payloads for lateral movement across Docker, Kubernetes, and SSH environments.

The attackers deploy cryptocurrency miners on compromised containers for initial access and move laterally via executing shell scripts—kube.lateral.sh, spread_docker_local.sh, and spread_ssh.sh—to propagate malware across networks.

The libprocesshider rootkit to conceal malicious processes helps with evasion, while persistence is established via modified iptables and installing backdoors via additional scripts (ar.sh, TDGINIT.sh, pdflushs.sh).

The malicious campaign highlights the vulnerability of Docker and Kubernetes environments, further exacerbated by exposed Docker API endpoints without authentication. 

Infection can be prevented by ensuring Docker APIs require authentication, regularly updating security protocols to mitigate unauthorized access, and Conducting thorough audits to detect and remove unauthorized containers and instances.

While the specific threat actors remain unidentified, the techniques used align with known patterns of TeamTNT, a group recognized for targeting cloud environments for cryptojacking and infiltrating misconfigured Kubernetes servers using worm-like attacks.