Loading...
According to a report by cybersecurity firm Kaspersky, newly discovered Linux malware activity is endangering insecure Docker infrastructure, turning exposed servers into part of a decentralized encrypted hijacking network for mining privacy coin Dero. This attack first utilized the publicly available Docker API on port 2375. Once access is granted, the malicious software will generate a malicious container. It will infect already running containers, steal system resources to mine for Dero malware, and scan other targets without the need for a central command server. From a software perspective, Docker is a set of application or platform tools and products that use operating system level virtualization to deliver software in the form of small packages called containers. The threat actors behind this operation deployed two Golang based implants: one called "nginx" (deliberately disguised as legitimate web server software) and the other called "cloud", which is the actual mining software used to generate Dero. Once the host is attacked, the nginx module will continue to scan the Internet to find more vulnerable Docker nodes, and use tools such as Masscan to identify targets and deploy new infected containers. To avoid detection, it encrypts configuration data, including wallet addresses and Dero node endpoints, and hides itself in the path typically used by legitimate system software. Kaspersky discovered that the wallets and node infrastructure used in early crypto hijacking activities targeting Kubernetes clusters in 2023 and 2024 were the same, indicating that this is an evolution of known operations rather than a completely new threat.