Cybercriminals are actively exploiting misconfigured Docker APIs to conduct cryptocurrency mining operations, leveraging the Tor network for anonymity. This sophisticated cryptojacking campaign targets publicly exposed Docker services, installing Monero miners and spreading across networks, posing significant risks to affected organizations.

The Attack Vector

Attackers are primarily targeting Docker services exposed on TCP ports 2375 or 2376, which are default ports for remote Docker API access. These ports often allow unencrypted and unauthenticated communication, making them vulnerable entry points. Once access is gained, the attackers deploy malicious scripts to scan for and compromise additional hosts.

Cryptojacking Modus Operandi

• Initial Compromise: Attackers identify misconfigured Docker APIs and gain initial access.

• Container Creation: A new Docker container, often based on the "alpine" image, is created. The "/hostroot" directory of the host machine is mounted as a volume, enabling the container to access and modify host files.

• Tor Network Integration: A Base64-encoded shell script is executed to set up Tor within the container, routing all traffic and DNS resolution through it for enhanced anonymity.

• Script Deployment: A remote script from a .onion domain is fetched and executed. This script, often named 'auto.sh', is responsible for extending the operation and installing the cryptocurrency miner.

• Monero Mining: The 'auto.sh' script initiates Monero mining using a variant of MoneroOcean's mining script, often downloaded from Pastebin.

• Lateral Movement: The script scans connected network subnets for other misconfigured Docker daemons, storing their IP addresses for further exploitation using 'test.sh' and 'test3.sh' scripts.

• Persistence: The 'docker-init.sh' script modifies the system's SSH configuration to enable root login and adds an attacker-controlled SSH key for remote access.

Tools and Tactics

The attackers employ a "living off the land" strategy, utilizing existing utilities on the target system such as Docker, wget, cURL, Bash, iproute2, MASSCAN, apt-get, yum, up2date, pacman, dpkg-query, and systemd. They also install various tools like masscan, libpcap, zstd, and torsocks, and beacon C&C server details about the infected system.

Impact and Mitigation

This cryptojacking campaign has been observed targeting technology companies, financial services, and healthcare organizations. Beyond cryptocurrency mining, misconfigured Docker services can be exploited for various malicious activities, including launching distributed denial-of-service attacks or spreading malware.

To mitigate these risks, organizations are strongly advised to:

• Enable TLS: Secure Docker communication over the network by enabling the 'tlsverify' flag and defining a trusted certificate for the 'tlscacert' flag. This ensures that the Docker daemon only accepts connections authenticated with a trusted certificate.

• Restrict Access: Limit public exposure of Docker APIs and implement strict access controls.

• Regular Audits: Conduct regular security audits of Docker configurations and container environments to identify and remediate misconfigurations.

• Patch Management: Ensure all systems and software are up-to-date with the latest security patches.

Sources

• Misconfigured Docker Services Actively Exploited in Cryptojacking Operation, BleepingComputer.

• Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network, The Hacker News.