Misunderstood Docker instances are the target of campaigns that employ the TOR Anonymous Network to stealthily mine cryptocurrency in sensitive environments.
“Attackers use the misunderstood Docker API to access containerized environments and mask activity while using Tor to deploy cryptominers,” trending microscientists Sunil Bharti and Shubham Singh said in an analysis published last week.
By using TOR, the idea is to anonymize its origin when installing a minor on a compromised system. According to cybersecurity companies, the attack starts with a request from an IP address 198.199.72[.]Gets a list of all containers on 27 machines.
If the container is not present, the attacker will create a new one based on the “Alpine” Docker Image and install the “/Hostroot” directory, that is, the root directory of the physical or virtual host machine (“https://thehackernews.com/”). This behavior poses a security risk and results in container escapes as the container can access and modify files and directories on the host system.
The threat actor performs a carefully orchestrated series of actions that run a base64 encoded shell script to set the TOR on the container as part of the creation request, and ultimately the a.Onion domain (“wtxqf54djhp5pskv2lfyduubub55ievxbyvlzjgjopk63adk63aduk63adubk63adubk63adubk63adubb55555 exed domain ([.]onion”)
“It reflects the common tactics used by attackers to hide command and control (C&C) infrastructure, avoid detection, and deliver malware or miners within compromised cloud or container environments,” the researchers said. “In addition, attackers use ‘Socks5H’ to route all traffic and DNS resolutions through the TOR for increased anonymity and evasion. ”
Once the container is created, the “docker-init.sh” shell script is expanded to set up remote access by checking the previously installed “/hostroot” directory, modifying the system’s ssh configuration, enabling root login, and adding an attacker-controlled SSH key to the ~/.ssh/authorized_keys file.
We also know that threat actors have installed a variety of tools, such as Masscan, Libpcap, ZSTD, and Torsocks. The beacon provides the C&C server details about the infected system to the beacon, and ultimately a binary that acts as a drip for the Xmrig cryptocurrency miner, along with the required mining configuration, wallet address, and mining pool URLs.
“This approach helps attackers avoid detection and simplify deployment in compromised environments,” Trend Micro said, adding that he observed activities targeting technology companies, financial services and healthcare organizations.
The findings point to the ongoing trends in cyberattacks that are misconfigured or securely targeted in cloud environments for cryptojacking purposes.
The development is as it revealed that Wiz had scanned public code repository to reveal hundreds of verified secrets in MCP.JSON, .ENV, and AI agent configuration files and Python notebooks (.IPYNB), turning them into a treasure trove of attackers.
The cloud security company said it has discovered valid secrets belonging to more than 30 companies and startups, including those belonging to Fortune 100 companies.
“Beyond merely a secret, it should generally be treated as sensitive by the code execution of python notebooks,” said researchers Shea Berkovich and Rami McCarthy. “Their content can provide reconnaissance details to malicious actors if they are correlated with the developer’s organization.”
Source link
