An Unknown Hacking Group is Looking for Exposed Docker Platforms

• A mass-scanning operation for Docker platforms with exposed API endpoints is being conducted by a hacking group.
• This operation started on November 24 this year and was immediately singled out owing to its massive size.

This operation means that Docker admin ports are still left exposed on the internet, in spite of the huge number of looming cyber risks.

Going a notch higher than normal

Researchers observed that this wasn’t a normal operation, considering the large uptick in scanning activity. The malicious actors deployed cryptominers on the exposed Docker platforms.

“As others have noted, this isn't your average script kiddie exploit attempt. There was a moderate level of effort put into this campaign, and we haven't fully analyzed every single thing it does as of yet,” said Troy Mursch, chief research officer and co-founder of Bad Packets LLC, who discovered this campaign.

Digging into the details

This operation is believed to be scanning over 59,000 IP networks for exposed Docker instances.

• Once an exposed host has been identified, the API endpoint is used to start an Alpine Linux OS container where it runs a certain command.
• Then, XMRRig cryptocurrency miner is installed. In the past two days, the hackers have reportedly mined Monero coins that are worth more than $740.
• This operation is also armed with a self-defense measure. It uninstalls known monitoring agents and kills certain processes.
• Researchers observed that apart from security tools, rival cryptocurrency-mining botnets were also shut down by this operation.

Apart from this, a function of the malicious script was also found to be looking for rConfig configuration files that it encrypts and steals. The stolen files were being sent to the command-and-control server.

Expert recommendations

If you run a Docket instance, experts recommend checking for exposed API endpoints on the internet, closing the ports, and terminating unrecognized running containers.