Hackers are exploiting Docker Swarm, Kubernetes, and SSH servers, targeting Docker API vulnerabilities as the entry point in a widespread malware campaign, according to DataDog researchers.
Large-Scale Server Exploits
Threat actors compromise containers by installing cryptocurrency mining software and then use these infected systems to initiate lateral attacks within the network. They target the Kubernetes kubelet API, which allows them to expand their control, allocate additional resources, and deploy further malicious payloads.
This campaign also leverages Docker Hub, a widely used platform for sharing container images, to distribute malware. By uploading infected images to Docker Hub, the attackers can further spread their malicious software to unsuspecting users who download and deploy these compromised container images, significantly increasing the scale and reach of the attack.
Under the alias “nmlmweb3,” attackers use malicious repositories to target exposed Docker APIs. They initiate the attack by creating an Alpine container and running an initialization script (“init.sh”).
This script installs the XMRig miner, hides processes, and fetches more payloads. Lateral movement is enabled using scripts for Kubernetes (“kube.lateral.sh”), Docker (“spread_docker_local.sh”), and SSH (“spread_ssh.sh”).
The malware scans networks for vulnerable endpoints using tools like “masscan” and “zgrab,” disables security features, installs mining software, and attempts to spread to other machines. Attackers also target cloud services like GitHub and Codespaces to find credential files.
The malware uses evasion techniques and persistence strategies, exploiting Docker API endpoints in a multi-stage attack.
The attackers used various malicious scripts such as “init.sh” and “kube.lateral.sh” to spread across systems and hijack resources for cryptojacking, particularly to mine Monero using XMRig. They exploited Docker Swarm to form a botnet of compromised systems.
For persistence, they employed scripts like “ar.sh” to modify iptables rules, adjust system configurations, and install SSH backdoors. Additionally, the campaign used advanced evasion techniques, like “libprocesshider,” to conceal malicious processes and avoid detection.
Analysis linked the attack to the domain solscan[.]live for C2 and payload delivery, with similarities to “TeamTNT” tactics, though attribution is uncertain. This highlights the importance of securing Docker and Kubernetes environments.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment