Aquasec’s research arm Team Nautilus provided a report outlining a cryptomining campaign they discovered exploiting a misconfigured Docker API. The attacks have been ongoing since 2019 and allowed the threat actor to gain network entry and ultimately set up a backdoor on compromised hosts to mine crypto. The technique being used is script-based and dubbed Autom because it exploits the file autom.sh. The way attackers exploited the Docker API has remained the same. However, their evasive techniques have changed throughout the course of campaign, which has allowed the attackers to remain undetected in most cases. Researchers set up honeypots in 2019 to begin tracking and researching attacks and saw a significant decrease in attacks in 2021, leading them to believe the attackers identified the honeypots and quit targeting them.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is