HomeCyber BalkansHackers are using innovative methods to target Docker API

Hackers are using innovative methods to target Docker API

Published on

spot_img

A recent cryptojacking campaign, known as Spinning YARN, has launched a new attack targeting publicly exposed Docker Engine hosts. This campaign utilizes new binaries, including chkstart for remote access with payload execution, exeremo for lateral movement through SSH, and vurld as a Go downloader for malware retrieval. Additionally, attackers have implemented a persistence mechanism that modifies systemd services with ExecStartPost to execute malicious commands.

The primary targets of this campaign are Docker API endpoints that lack authentication. This new campaign shares tactics, techniques, and procedures (TTPs) with the previously identified Spinning YARN campaign. However, a detailed analysis of individual payloads is essential to fully comprehend the evolution and intricacies of these ongoing cyber attacks. These campaigns often reuse names for updated or replaced payloads, emphasizing the need for continuous monitoring and analysis.

The Spinning YARN malware campaign takes advantage of misconfigured Docker, Apache Hadoop, Redis, and Confluence servers. By scanning for open port 2375, attackers can deploy an Alpine Linux container that exploits the Docker host and grants full access to the system. This initial infection allows attackers to establish persistence by adding cron jobs that fetch and execute malicious shell scripts.

One of the key components of the chkstart malware is its ability to establish persistence on an Amazon Linux EC2 instance by modifying systemd unit files. By identifying systemd services with the “enabled” status, attackers inject a malicious command (ExecStartPost) to execute a hidden binary named “top” upon startup. Additionally, the malware modifies the SSH daemon configuration to accept SSH keys from specific locations, providing unauthorized access to the attacker.

Once persistence is achieved, the “top” binary is revealed to be a custom-built XMRig cryptocurrency miner. This miner utilizes the compromised system’s resources for crypto mining, further enhancing the attackers’ ability to generate illicit profits.

In terms of lateral movement, the exeremo binary is deployed to extract usernames, hostnames, SSH keys, and ports from compromised servers. This information is then used to spread laterally by connecting to other SSH servers and executing remote shell scripts. Additionally, exeremo deploys scanning tools and a custom Docker discovery utility to further propagate the infection.

Newly discovered payloads, such as sd/httpd and fkoths, continue to enhance the capabilities of the Spinning YARN campaign. These payloads scan for vulnerable Docker Engine hosts, exploit them using sophisticated techniques, remove Docker images created during the initial infection, and modify hosts files to block communication with the Docker registry. This ongoing development and adaptation demonstrate the persistent threat posed by this cryptojacking campaign.

In conclusion, the Spinning YARN cryptojacking campaign represents a sophisticated and evolving threat to publicly exposed Docker Engine hosts. By leveraging new binaries, altering persistence mechanisms, and implementing lateral movement tactics, attackers continue to exploit vulnerabilities and generate profits through illicit crypto mining operations. Continuous vigilance, analysis of individual payloads, and robust security measures are essential to detect, mitigate, and prevent such cyber attacks.

Source link

Latest articles

Zoom addresses account takeover vulnerability

Zoom Tackles Security Vulnerabilities in Key Software Products Zoom Video Communications recently addressed serious security...

Your VPN Has Become an Attackers’ Front Door

Rethinking VPNs in Today’s Cybersecurity Landscape In the rapidly evolving world of cybersecurity, organizations are...

Two Young Hackers Sentenced for Disrupting London Underground

Police Declare Success After Arrests "Effectively Halted" Scattered Spider Cybercrime Collective In a significant development...

Inside Microsoft’s Record-Breaking Release of 622 Bugs

Microsoft's Record-Breaking Security Update Addresses Urgent Vulnerabilities On July 14, 2026, Microsoft announced an unprecedented...

More like this

Zoom addresses account takeover vulnerability

Zoom Tackles Security Vulnerabilities in Key Software Products Zoom Video Communications recently addressed serious security...

Your VPN Has Become an Attackers’ Front Door

Rethinking VPNs in Today’s Cybersecurity Landscape In the rapidly evolving world of cybersecurity, organizations are...

Two Young Hackers Sentenced for Disrupting London Underground

Police Declare Success After Arrests "Effectively Halted" Scattered Spider Cybercrime Collective In a significant development...