An increase has been observed in cyberattacks aimed at misconfigured Docker container services. In ongoing attacks, cybercriminals are deploying cryptocurrency-mining malware via exposed Redis instances or rogue containers that give complete access to all running containers on Docker Hub.

Attack tactics

An attack was observed in which a cryptocurrency-mining malware searches for and kills other existing cryptocurrency miners in infected Linux systems to fully utilize their computing power.
  • The first step in this infection chain consists of a malicious Docker-run host container being deployed and executed. The entry point is a shell script named calm[.]sh. This script then drops another shell script named cmd.
  • Calm[.]sh will call nginx, a fake application that is an executable and linkable format cryptominer. This fake pretense of nginx is used to stay under the radar and dupe victims into thinking that it’s legitimate.
  • In addition, the attack involved the use of a network scanner identified as ‘zgrab’ that maps the container with the exposed API. This network tool is very popular among container attacks.

If exploitation is not successful, the attackers are observed to be running a cryptocurrency miner on an exposed server that does not need a privileged container to run on.

Recent threats to container services

  • Recently, a vulnerability (tracked as CVE-2021-21284) was discovered in a Docker Engine security feature that could have potentially allowed attackers to escalate privileges from a remapped user to root.
  • A week ago, a campaign by TeamTNT was found to be targeting Kubernetes clusters. The attacker first gained initial access via a misconfigured kubelet that granted anonymous access.


The recent increase in attacks on container services shows how malicious actors are now becoming more sophisticated with their techniques. For protection against such threats, experts suggest organizations choose third-party containers carefully, enable Docker Content Trust, set resource limits for containers, or use security tools created for Docker.

Cyware Publisher