A new malware campaign was found to be scanning the Internet for Docker servers running API ports exposed on the internet without a password. The attackers then break into unprotected hosts and are installing a new crypto-mining malware strain called Kinsing.
The details regarding the malware campaign was given by the cloud security firm Aqua Security and they claim that the attacks which began last year are still ongoing.
These kinds of attacks that target Docker instances compromise the systems and give the hackers access to huge resources.
Gal Singer, a security researcher at Aqua stated that when a hacker finds a Docker instance with an exposed API port, they use the access provided by this port to spin up an Ubuntu container, where they download and install the Kinsing malware.
The main aim of the malware is to mine cryptocurrency on the hacked Docker instance. Some other functions that it performs include running scripts that remove other malware that may be running locally, gathering local SSH credentials to spread to a company’s container network and to infect other cloud systems using the same malware.
All the companies must review the security settings of their Docker instances and ensure that no administrative APIs are exposed online. The admin endpoints will be either behind a firewall or VPN gateway if they have to be exposed online or disabled when not used.
Several attacks from crypto-mining botnets have targeted Docker instances before and it began first in 2018 which was first detected by Aqua and Sysdig.