Uptycs researchers identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API.

The Uptycs Threat Research team has identified ongoing malicious campaigns through our Docker honeypot targeting exposed Docker API port 2375. The attacks are related to crypto miners and reverse shells on the vulnerable servers using base64-encoded commands in the cmdline, built to evade defense mechanisms. This article briefly discusses three types of attacks which we observed lately in our Docker honeypot.

  • Coinminer attacks
  • Reverse shell attacks
  • Kinsing malware attacks

Case 1 – Coinminer Attacks 

The coinminer attack chain involves several shell scripts to drop malicious components via deployment of legitimate Docker images on the vulnerable servers (the servers exposed to Docker API). 

Malicious Shell Scripts Involved In The Campaign

The threat actors tried to run the Alpine Docker image with chroot command to gain full privileges on the vulnerable server host (a common misconfiguration). The attacker passed curl utility as an argument to the Alpine image which downloads and runs the malicious shell script (hash: 

) on the vulnerable server host as shown below (see Figure 1).

Figure 1: honeypot log – command ran by attacker on the vulnerable server

Cronb.sh (the miner script)

Securing Docker: The Attack and Defense Way

Securing Docker: The Attack and Defense Way by [Nitin Sharma, Jeremy Martin, Daniel Traci]

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices