This operation means that Docker admin ports are still left exposed on the internet, in spite of the huge number of looming cyber risks.
Going a notch higher than normal
Researchers observed that this wasn’t a normal operation, considering the large uptick in scanning activity. The malicious actors deployed cryptominers on the exposed Docker platforms.
“As others have noted, this isn't your average script kiddie exploit attempt. There was a moderate level of effort put into this campaign, and we haven't fully analyzed every single thing it does as of yet,” said Troy Mursch, chief research officer and co-founder of Bad Packets LLC, who discovered this campaign.
Digging into the details
This operation is believed to be scanning over 59,000 IP networks for exposed Docker instances.
Apart from this, a function of the malicious script was also found to be looking for rConfig configuration files that it encrypts and steals. The stolen files were being sent to the command-and-control server.
Expert recommendations
If you run a Docket instance, experts recommend checking for exposed API endpoints on the internet, closing the ports, and terminating unrecognized running containers.
Publisher