New Malware Campaign Mines Crypto in Docker & Kubernetes
Datadog Security Research has uncovered a new and widespread malware campaign targeting Docker and Kubernetes environments, where threat actors exploit vulnerabilities in container orchestration technologies to mine cryptocurrency. The campaign, which relies on misconfigured Docker API endpoints exposed to the internet, has already compromised numerous containers and cloud hosts, deploying cryptocurrency miners across multiple platforms.
The attack begins with threat actors scanning the internet for Docker API endpoints that lack proper authentication. Using tools like masscan and zgrab, attackers identify vulnerable Docker containers and execute malicious commands that spawn new containers, compromising the system. The attackers use these compromised containers to deploy XMRig, a popular cryptocurrency mining software, which mines Monero (XMR) for the attackers’ wallets.
One of the key tools involved in the campaign is an initialization script (init.sh) which, once executed, sets up the container for further compromise. The script downloads additional payloads from the attackers’ Command and Control (C2) server, installs necessary data transfer tools like curl and wget, and even deploys a custom process hider to prevent detection.
The malware doesn’t stop at infecting a single Docker instance. Once inside, it spreads across the cloud infrastructure using a series of lateral movement techniques, specifically targeting both Docker and Kubernetes. Scripts like kube.lateral.sh and spread_docker_local.sh scan local area networks for open Kubernetes (port 10250) and Docker (ports 2375, 2376, and 2377) endpoints, allowing the malware to propagate like a worm across multiple systems.
Infected Kubernetes clusters are further compromised by targeting the Kubelet API, which allows attackers to manage pods and execute malware directly on containers within the cluster. By exploiting this API, the threat actors can deploy additional containers dedicated to mining cryptocurrency, significantly increasing their operational scale.
The malware also uses Docker Hub, the popular container image repository, to host and distribute its malicious payloads. Datadog researchers discovered that a Docker Hub user, under the username nmlmweb3, had published images containing the malicious scripts. These images are downloaded and executed by the malware to further propagate the attack.
Interestingly, the attackers also manipulate Docker Swarm environments by forcing compromised Docker instances to leave existing Swarm networks and join a malicious Swarm controlled by the threat actors. This enables them to coordinate and control large numbers of infected hosts as part of a botnet dedicated to cryptocurrency mining.
The campaign highlights the critical issue of misconfigurations in cloud environments, specifically Docker API endpoints that are exposed without authentication. These open entry points serve as the attack vector for initial compromise. Threat actors then use additional scripts, such as spread_ssh.sh, to target SSH servers, scanning for misconfigured systems and using them to propagate further.
The campaign’s success lies in its ability to capitalize on these common misconfigurations, allowing it to spread rapidly across cloud infrastructure. Each compromised node contributes to a massive, distributed cryptomining operation, which continues to generate profits for the attackers with minimal interference.
To protect against these threats, cloud administrators must ensure proper security configurations, including the use of authentication for Docker APIs, securing Kubernetes clusters, and monitoring for suspicious activity. As cryptojacking campaigns continue to evolve, proactive security measures are essential to safeguarding cloud environments.
