Cyber security news for all

More

    Hackers Used Malicious Docker Images to Mine Monero

    Researchers found malicious images on Docker Hub used for crypto mining.

    Palo Alto Networks’ Unit  42, unraveled a crypto mining scheme which uses malicious Docker images to hide cryptocurrency mining code. These images uploaded to the legitimate Docker Hub Repository have been downloaded more than 2 million times.

    Though the identity of the threat actors is still a mystery, Unit 42 has discovered that the Docker accounts—mainly used to disseminate images— were activated back in October 2019. One of the suspected accounts linked to the hacker holds at least 525 Monero units coins that are approximately $36,000.

    Docker is a “platform-as-a-service offering for Linux and Windows devices that developers use to help develop and package applications.”

    The report notes that “docker containers provide a convenient way for packaging software; which is evident by its increasing adoption rate. It makes it easy for a malicious actor to distribute their [malicious] images to any machine that supports Docker and start using its computing resources toward cryptojacking.”

    Researchers identified six variants of the Docker Image XMRig crypto miner.

    Cryptomining groundwork.

    Researchers At Unit 42 released a report detailing the process flow of the mining. And suspected methods employed.

    In the first place, the malicious images—hosted in a Docker Hub repository that resembled Microsoft Azure packages—are developed employing a custom mining code. This code triggered once a target opens the image.

    The malware used, altered the hash setting in the CPU—to permit the crypto miners to carry out their “work”—after determining the type of CPU used. After establishing this,  the XMRig crypto miner was downloaded from a GitHub repository and began mining for Monero.

    Finally, the threat actors employ two mining methods to get the Monero.

    “In the first method, the attacker is directly submitting the mined blocks to the central minexmr pool using a wallet ID,” according to the report. “Whereas in the second method, the author has instances deployed on a hosting service running their mining pool used to collect mined blocks.”

    Regarding the mining process, a principal software designer at Unit 42, Ashutosh Chitwadgi, had this to say. All the images here have a version of a custom Python script that starts the coin mining process using network anonymizing tools like Tor and ProxyChains. This script is registered as the entry point for the images so that as soon as the image is launched, the script and thus coin mining starts.”

    Chitwadgi also notes, “to make identification of mining traffic on a network difficult; hackers use the Tor browser and Proxychains – open-source software that allows users to run their programs through a proxy server”. He goes ahead to tell Information Security Media Group. “A firewall sitting between the victim miner and the internet would only see encrypted Tor traffic instead of the coin mining traffic that could trigger a different security team response compared to cleartext coin mining activity.”

    The Way Forward.

    Despite looking like campaigns are quiet, the scammers can freely start up another round. This hinges on the fact that creating another campaign simply involve setting up a new Docker Hub Account.

    With this in mind, Chatwadgi advised that Docker Hub users “automatically deploy cloud security tools that can scan for known vulnerabilities and provide alerts on dangerous configurations. This can help to maintain the security of all container components consistently and over time.”

    Users should also regularly sort through unfamiliar containers and images in their systems. They should also exercise discretion while downloading images from unknown registries or unknown user namespaces.

    Recent Articles

    Russian Cybercriminal Behind “Cardplanet” Site Sentenced

    According to the United States Department of Justice, a Russian cybercriminal, Aleksey Burkov, 30—who operated Cardplanet site: a site that trafficked stolen card details—has...

    Hackers Used Malicious Docker Images to Mine Monero

    Researchers found malicious images on Docker Hub used for crypto mining. Palo Alto Networks' Unit  42, unraveled a crypto mining scheme which uses malicious Docker...

    NSA outlines requirements for secure collaboration services for US government telework

    The new National Security Agency (NSA) guidelines are a window of security for users. Everyone has been trying to return to their lives since...

    Cybercriminals threaten to sell off “scandalous” files swiped from Mariah Carey, Nicki Minaj, Puff Daddy’s legal eagles

    There's no escaping these cybercriminals. In a recent case of "cyber-extortion," threat actors known as REvil, are threatening to expose celebrity "dirt." These threat actors...

    Twitter apologises for exposed customers data

    In what is described as a "data security incident," sensitive details of Twitter's customers were exposed. Unlike other cases of a breach which are...

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox