Docker Swarm and Kubernetes are both container orchestration tools, but they serve different use cases.SSH servers can be utilized alongside these orchestration tools to manage and secure remote access to the nodes within the clusters.
DataDog security labs researchers have recently identified that hackers are actively exploiting Docker Swarm, Kubernetes, and SSH servers on a large scale.
The newly discovered malware campaign focuses on “Docker” and “Kubernetes” environments and uses “Docker API” endpoint vulnerabilities as the ‘initial access vector.’
Hackers Exploiting Servers in Large Scale
The threat actors install “cryptocurrency mining software” on compromised containers and launch secondary attacks from them laterally.
These malicious payloads target the “Kubernetes kubelet API” and enable the threat actors to extend more resources and deploy more viruses.Even the campaign also makes use of a docker hub for sharing the malware.
Under the name “nmlmweb3,” there are usernames of repositories that are malicious.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The attackers start the sequence by issuing a command to the exposed docker APIs, creating an “Alpine container” and running an ‘initialization script’ (“init.sh”).
This script installs the “XMRig miner,” applies “process hiding techniques,” and “fetches additional payloads.”
Lateral movement is enabled via scripts against “Kubernetes” ‘kube.lateral.sh,’ “Docker” ‘spread_docker_local.sh,’ and “SSH” ‘spread_ssh.sh.’
Apart from scanning with various tools such as “masscan” and “zgrab,” the malware also scans the network to look for vulnerable endpoints.
The malware validates the context in which mining programs are deployed. It shuts down the ‘security features’, ‘adds mining programs’ and ‘tries to propagate to other machines.’
The campaign further extends to the perpetrator’s use of cloud services, where similar targeting of “GitHub” and “Codespaces” is made, and then credential files are looked for.
Throughout the attack, the malware not only employs numerous “evasion techniques” but also tries to implement various strategies to maintain “persistence mechanisms.”
In this event the threat actors employed a “multi-stage approach,” initially exploiting exposed “Docker API endpoints” to gain access.
They then deployed various malicious payloads like “init.sh,” “kube.lateral.sh,” and “setup_xmr.sh,” which facilitated the “lateral movement” and “resource hijacking.”
The primary goal was “cryptojacking,” using the XMRig miner to mine “Monero cryptocurrency.” The attackers showed advanced tactics by manipulating “Docker Swarm,” to create a botnet-like network of compromised systems.
They also utilized scripts like “ar.sh” and “pdflushs.sh” for persistence, which ‘modified iptables rules,’ ‘adjusted system configurations,’ and ‘installed SSH backdoors.’
The campaign demonstrated sophisticated evasion techniques like using “libprocesshider” to hide malicious processes.
Infrastructure analysis revealed connections to solscan[. ]live, a domain used for command and control (C2) and payload delivery.
While some tactics have coincided with those attributed to the “TeamTNT,” a known threat group. But here the final attribution still remains “uncertain.”
This attack illustrates the need for strong security measures in protecting “Docker” and “Kubernetes” deployments.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Webinar