A Crypto-Mining Docker Botnet Now Stealing AWS Credentials

Threat Watch

Threat Watch A Crypto-Mining Docker Botnet Now Stealing AWS Credentials

A Crypto-Mining Docker Botnet Now Stealing AWS Credentials

Analysts with Trend Micro have reported an update to a botnet that now collects Docker and Amazon Web Services (AWS) credentials after deploying an XMR crypto miner. Trend Micro had previously reported that a threat actor group they call TeamTNT established a botnet that attempted to access Docker containers with exposed APIs without a password. In this new version, after the miner Is deployed, the malware will try to steal AWS credentials and Docker API credentials to move laterally to other systems and siphon off more resources.

ANALYST NOTES

Binary Defense has written previously about the pervasiveness of this kind of malware as it continues to grow and take advantage of cloud and development resources such as Docker and AWS. Defending against malware such as these starts with understanding where the Docker APIs are first located and making sure that the container APIs are not externally facing. If these APIs need to be externally facing, they should be put behind a firewall with strict rules to prevent any unwanted incoming connections from untrusted sources. Including logs from Docker into continuous monitoring and alerting should also be implemented. Resources and References: https://www.zdnet.com/article/a-crypto-mining-botnet-is-now-stealing-docker-and-aws-credentials/

What Do Criminal Hackers and Scammers Discuss on Forums?

Cybersecurity predictions for 2021 after an unpredictable 2020

Qakbot Upgrades to Stealthier Persistence Method

Threat Hunting Malware Beacons With Microsoft Sentinel And Jupyter Notebooks

Threat Watch