Cryptomining botnet targeting Docker on Linux systems | #cloudsecurity


Credit: Dreamstime

LemonDuck, a well-known cryptomining botnet, is targeting Docker on Linux systems to coin digital money, CloudStrike has reported.

The vendor’s threat research team revealed in a blog written by Manoj Ahuje that the botnet is leveraging Docker APIs exposed to the internet to run malicious containers on Linux systems.

Docker is used to build, run, and mange containerised workloads. Since it runs primarily in the cloud, a misconfigured instance can expose a Docker API to the internet where it can be exploited by a threat actor, who can run a crypto miner inside an outlaw container.

Docker containers a soft target

Mike Parkin, an engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that one of the main ways attackers compromise containerised environments is through misconfigurations, which just shows how many organisations are failing to follow industry best practices.

“There are tools available that can protect these environments from unauthorised use, and workload monitoring tools that can flag unusual activity,” he said in an interview. “The challenge can be coordinating between the development teams and the security teams, but there are risk management tools that can handle that as well.”

Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes, and cloud, added that while Docker provides a high degree of programmability, flexibility, and automation it has an unintended side effect of increasing the attack surface.

“This is especially true as container technologies get adopted more broadly by the mainstream market,” he said in an interview. “This creates a soft target for adversaries to compromise Docker, since it unlocks a lot of compute power for cryptomining.”

How LemonDuck works

After running its malicious container on an exposed API, LemonDuck downloads an image file named core.png disguised as a bash script, Ahuje explained. Core.png acts as a pivot point for setting up a Linux cronjob, which can be used to schedule scripts or other commands to run automatically.





Original Source link




Leave a Reply

Your email address will not be published.

fifteen − eleven =