There’s something nasty in that container
Cybercriminals have been caught exploiting misconfigured Docker installations to spread crypto-mining malware.
Researchers at Cisco Talos identified the tactic after a cryptocurrency-mining botnet strayed onto a honeypot-system set up to track Docker-related threats.
The so-called Xanthe botnet targeted Linux-based systems, press ganging compromised resources into mining Monero cryptocurrency for attackers instead of an installation’s normal workload.
“The [threat] actor employs various methods to spread across the network, like harvesting client-side certificates for spreading to known hosts using SSH, or spreading to systems with an incorrectly configured Docker API,” according to a write-up on the threat by Cisco Talos.
The Xanthe botnet has been active since March without previously getting documented, according to Cisco Talos.
The main payload of the botnet is a variant of the XMRig Monero mining malware. Companion packages are there to secure tenancy or persistence on compromised systems.
“Two additional bash scripts terminate security services, removing competitor’s botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts,” according to Cisco Talos.
Curiouser and cursiouser…
Vanja Svajcer, a security researcher at Cisco Talos and co-author of its blog post documenting the discovery, described the threat as a “bit of a curiosity”.
“If you are after building a mining botnet you want to go for numbers and there are not that many Docker installations out there – 6k or so according to Shodan,” Svajcer told The Daily Swig. “They won’t be as secured as standard endpoints so could be undetected for longer.”
Other security experts said the threat had implications beyond insecure Docker installs.
“We've seen this before with public repos like node, Ruby and Python,” said infosec professional Ed Daniel. “This is no different, without strong controls this is a super way to cause havoc.”