The poorly configured Docker bodies are the target of a campaign that uses the Anonymity Tor network to stealthy cryptocurrency in sensitive environments.
“The attackers exploit the wrongly wrong Docker APIs to access containerized environments, then using Tor to hide their activities while deploying cryptography minors”, Trend Micro Researchers Sunil Bharti and Shubham Singh said In an analysis published last week.
Using Tor, the idea is to anonymize their origins when installing the minor on compromise systems. The attacks, according to the cybersecurity company, begin with a request from the IP address 198,199.72 (.) 27 To obtain a List of all containers on the machine.
If no container is present, the attacker performs a news based on the “Alpine” Docker image and sets up the repertoire “/ Hostrot” – that is to say the root repertoire (“of the physical or virtual host machine – as a volume inside. This behavior poses safety risks because it allows the container to access and modify files and repertoires on the host system, resulting in a container.
The threat actors then perform a carefully orchestrated action sequence which consists in executing a shell coded script in base64 to configure Tor on the container as part of the creation request and finally recover and execute a remote script from a domain. (“WTXQF54DJHP5PSKV2LFYDUUB5IEVXBYVLZJGJOPK6HXGE5UMOMBR63AD (.) Onion”)
“It reflects a common tactic used by attackers to hide the control and control infrastructure (C&C), avoid detection and deliver malware or minors in cloud or compromise container environments,” said the researchers. “In addition, the attacker uses ‘Socks5h’ to transport all traffic and DNS resolution via TOR for anonymous improvement and escape.”
Once the container has been created, the script of Shell “Docker-nit.sh” is deployed, which then checks the ” / Hostrot” repertoire mounted earlier and modifies the SSH configuration of the system to configure remote access by allowing a root connection and adding a controlled SSH key against the attacker in the ~ / .ssh /.
The threat actor has also proven to be installed various tools such as Massan,, LIBPCAP,, zstdAnd torsoBeacon to the C&C Server Details on the infected system, and finally deliver a binary which acts as a dropper for the XMRIG cryptocurrency minor, as well as the necessary mining configuration, the addresses of the wallet and the url of the mining pool.
“This approach helps attackers to avoid detection and simplifies deployment in compromise environments,” said Trend Micro, adding that it has observed activity targeting technological companies, financial services and health care organizations.
The results indicate a permanent trend of cyber attacks that target cloud or poorly secure cloud environments for crypto-jacking purposes.
The development comes as Wiz revealed that an analysis of public code benchmarks has revealed hundreds of validated secrets in the configuration files of MCP.Json, .Who and AI and Python laptops (.ipynb), by transforming them into a treasure for attackers.
The Cloud Security Company said it found valid secrets belonging to more than 30 companies and startups, including those belonging to Fortune 100 companies.
“Beyond simple secrets, the execution of the code leads to python laptops must generally be treated as sensitive”, researchers Shay Berkovich and Rami McCarthy said. “Their content, if correlated with the organization of a developer, can provide recognition details to malicious actors.”
