Cryptomining Attack Taking Advantage of Misconfigured Docker API Since 2019

Cryptomining Attack Taking Advantage of Misconfigured Docker API Since 2019

Since 2019, hackers behind a cryptomining effort have managed to stay undetected. According to experts, the attacks used misconfigured Docker APIs to get network access and set up a backdoor on vulnerable machines to mine bitcoin.

Because it exploits the file “autom.sh,” the attack approach is script-based and called “Autom.” During the campaign’s active duration, attackers have repeatedly exploited the API misconfiguration. Still, their evasion strategies have changed, allowing adversaries to remain undetected, according to a report published Wednesday by Aquasec’s research arm Team Nautilus.

In October, researchers who began drafting their study revealed that honeypots set up by Team Nautilus had been attacked 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021. According to a Shodan search, cyberattacks on honeypots have declined dramatically this year, but overall targeting of improperly configured Docker APIs has not.

“This decrease in attacks on our honeypots might imply that the attackers identified them and therefore reduced the volume of their attacks in 2021. It seems that the group behind the attack has developed their skills to expand the attack surface and spread their attack,” researchers wrote.

According to researchers, cybercriminals employ the same entry point and strategies to reach their ultimate aim of cryptomining throughout the attack vector, but what has changed the most is how threat actors have continually innovated evasive actions to evade detection.

“We saw the progression of the campaign in the tactics that the adversaries use to avoid detection. In 2019, the attack didn’t use any special techniques for hiding the cryptomining activity. In 2020, the adversaries were trying to conceal themselves and, therefore, disabled security mechanisms,” researchers wrote in the report.

As per the researchers, attackers have downloaded the shell script that starts the attack from five separate servers since the campaign began. It appears that the attackers have honed their abilities to broaden the attack surface and widen their attacks.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: