Home Articles How Containers are Attacked by Cryptominer Malware

How Containers are Attacked by Cryptominer Malware


Recently, researchers revealed that misconfigured containers are again targeted by Cryptominer malware. Read on to know more about it…

An attack group is searching for insecure containers exposing the Docker API and then installing a program that attempts to mine cryptocurrency. Containers are among the most essential technologies in DevOps known for the speed and efficiency it offers during the development process, while maintaining consistency across the board. However, such agility also exposes organizations to potential risks.

Misconfigured Docker API
A threat actor group was recently found targeting insecure containers, exposed due to misconfigurations in the Docker API. Researchers stumbled upon a cloud-based cryptomining malware called ‘Kinsing’ that targets thousands of Docker systems to run a Bitcoin miner. The research team said that Containers allowing Docker commands to be executed without authentication are at risk.

A quick search using a port-scanning service revealed that around 6,000 IP addresses could be hosting vulnerable installations of Docker. The volume of attacks suggests that it is an aggressive attack campaign since much effort is required into scanning the Internet on a daily basis. Also, in the first week of April 2020, a report revealed that a malicious botnet has been targeting Microsoft SQL database servers for the last two years to mine cryptocurrency. The hackers had managed to infect a significant number of servers, ranging from 2,000 to 3,000, on a daily basis.

Other Cryptojacking Attacks
Over the years, we have seen cryptojacking attacks affecting various kinds of devices but recently, hackers have resorted to Containers to channelize their attacks and quickly infect additional systems. Security teams can learn about their attack tactics from previous attack campaigns such as the following instances

• Researchers found a new cryptojacking worm, dubbed “Graboid,” that spreads using Containers in the Docker Engine and was deployed to mine Monero coins.
• An API misconfiguration in Docker Engine-Community allowed attackers to infiltrate Containers and run a variant of the Linux botnet malware AESDDoS.
• Last year, a group of researchers revealed Containers caught in malicious trap coming from a publicly accessible Docker Hub repository named “zoolu2” that contained the binary of a Monero (XMR) cryptocurrency miner.
• Researchers detected “Xulu”, a mining botnet, that deployed malicious Docker Containers on victim hosts by exploiting Docker’s remote API.

In 2018, it was reported that seventeen malicious Docker Containers earned cryptomining criminals $90,000 in a span of just 30 days.

Compromising Containers
Various threats attackers exploit to compromise Containers are through

• Default configuration during image creation: It is one of the most common mistakes. During image creation, users often install an application with its default configuration, ignoring the security aspects.
• Exposed data in docker files: Attackers are always looking for data such as passwords and the private portions of SSH encryption keys in Dockers. Even default passwords for an account is a big risk.
• Unreliable third-party sources: Hackers have been dropping malicious codes on public platforms such as a GitHub repository to target unsuspecting users. This opens up the container to potential attacks.
• Exposed applications and ports: Deployed applications can be exploited through SQL injection, cross-site scripting, brute-force attacks, and remote file inclusion. Exposed ports in applications can also lead to API abuse.
• Non-update vulnerable images: Container images need to be regularly updated. Older infected images (with vulnerabilities or bugs) could be exploited by hackers for malicious attacks.


Please enter your comment!
Please enter your name here

+ 5 = 11