Aquasec’s research arm Team Nautilus provided a report outlining a cryptomining campaign they discovered exploiting a misconfigured Docker API. The attacks have been ongoing since 2019 and allowed the threat actor to gain network entry and ultimately set up a backdoor on compromised hosts to mine crypto. The technique being used is script-based and dubbed Autom because it exploits the file autom.sh. The way attackers exploited the Docker API has remained the same. However, their evasive techniques have changed throughout the course of campaign, which has allowed the attackers to remain undetected in most cases. Researchers set up honeypots in 2019 to begin tracking and researching attacks and saw a significant decrease in attacks in 2021, leading them to believe the attackers identified the honeypots and quit targeting them.
Analyst Notes
The change in evasive techniques by the threat actors points to a more sophisticated threat actor actively working to hide their attacks. Changing techniques makes it harder for companies and individuals to identify if they have been targeted by these attacks. Companies should utilize a monitoring service within their organization that specializes in finding and mitigating attacks quickly. Binary Defense’s Managed Detection and Response along with the 24/7 Security Operations Task Force is a great way to identify attacks and put a stop to them before they can move across an entire network.
Cryptomining Attack Exploits Docker API Misconfiguration Since 2019
