Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API, enabling attackers to use Docker Swarm's orchestration for malicious control.
The attacks exploit unauthenticated Docker API endpoints to launch a cryptocurrency miner on compromised containers while executing further payloads for lateral movement.
Using tools like masscan and ZGrab, attackers identify vulnerable endpoints and deploy a malicious shell script that check for root access before downloading the XMRig miner.
The shell script also fetches three other scripts for lateral movement across Docker, Kubernetes, and SSH endpoints, scanning ports associated with Docker services.
Collection
[
|
...
]