The primary goal was “cryptojacking,” using the XMRig miner to mine “Monero cryptocurrency.” The attackers showed advanced tactics by manipulating “Docker Swarm,” to create a botnet-like network of compromised systems. These malicious payloads target the “Kubernetes kubelet API” and enable the threat actors to extend more resources and deploy more viruses.Even the campaign also makes use of a docker hub for sharing the malware. In this event the threat actors employed a “multi-stage approach,” initially exploiting exposed “Docker API endpoints” to gain access. Apart from scanning with various tools such as “masscan” and “zgrab,” the malware also scans the network to look for vulnerable endpoints. The threat actors install “cryptocurrency mining software” on compromised containers and launch secondary attacks from them laterally. While some tactics have coincided with those attributed to the “TeamTNT,” a known threat group. The campaign further extends to the perpetrator’s use of cloud services, where similar targeting of “GitHub” and “Codespaces” is made, and then credential files are looked for. The campaign demonstrated sophisticated evasion techniques like using “libprocesshider” to hide malicious processes. This attack illustrates the need for strong security measures in protecting “Docker” and “Kubernetes” deployments. Docker Swarm and Kubernetes are both container orchestration tools, but they serve different use cases.SSH servers can be utilized alongside these orchestration tools to manage and secure remote access to the nodes within the clusters. Under the name “nmlmweb3,” there are usernames of repositories that are malicious. DataDog security labs researchers have recently identified that hackers are actively exploiting Docker Swarm, Kubernetes, and SSH servers on a large scale.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 01 Oct 2024 15:06:24 +0000