Analysts with Trend Micro have reported an update to a botnet that now collects Docker and Amazon Web Services (AWS) credentials after deploying an XMR crypto miner. Trend Micro had previously reported that a threat actor group they call TeamTNT established a botnet that attempted to access Docker containers with exposed APIs without a password. In this new version, after the miner Is deployed, the malware will try to steal AWS credentials and Docker API credentials to move laterally to other systems and siphon off more resources.
Binary Defense has written previously about the pervasiveness of this kind of malware as it continues to grow and take advantage of cloud and development resources such as Docker and AWS. Defending against malware such as these starts with understanding where the Docker APIs are first located and making sure that the container APIs are not externally facing. If these APIs need to be externally facing, they should be put behind a firewall with strict rules to prevent any unwanted incoming connections from untrusted sources. Including logs from Docker into continuous monitoring and alerting should also be implemented.
Resources and References: