Once found, they upgraded the connection to h2c and utilized gRPC methods to carry out tasks like health checks, file synchronization, and SSH forwarding on Docker environments. By bypassing encryption and traditional security layers, the attackers were able to exploit the Docker server’s functionalities and deploy their malicious containers.

According to the researchers, one of the critical aspects of the attack involved the use of the gRPC request "/moby.buildkit.v1.Control/Solve" to create a container that would mine cryptocurrency. The attack's sophistication lay in its ability to bypass common security defenses and leverage Docker’s API to facilitate the execution of SRBMiner all while utilizing legitimate Docker processes. In parallel, another campaign was observed where attackers exploited exposed Docker APIs to deploy the perfctl malware further emphasizing the ongoing threat to unsecured Docker environments.

To mitigate these risks, security experts recommend strong access controls and authentication for Docker API servers. Organizations should closely monitor their servers for unusual activity and follow container security best practices. Failing to secure Docker environments can lead to unauthorized access and malicious deployments that drain resources and compromise system integrity.

Impact

• Unauthorized Access
• Cryptocurrency Theft
• Financial Loss

Indicators of Compromise

IP

• 59.93.45.16

MD5

• 970934d4dbbb236e3bc6428b106058ed

SHA-256

• 0d4eb69b551cb538a9a4c46f7b57906a47bcabb8ef8a5d245584fbba09fc5084

SHA1

• 74d8622811a887655d3cf1c6f2b9a542bb77ebb9

URL

• https://github.com/doktor83/SRBMiner-Multi/releases/download/2.5.8/SRBMiner-Multi-2-5-8-Linux.tar.g

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Regularly review the dependencies of your open-source projects and consider using package-lock files or version pinning to ensure that you’re using trusted and verified packages.
• Use automated security scanning tools to analyze dependencies for known vulnerabilities or suspicious code.
• Provide training to developers and team members on secure coding practices, the risks of third-party dependencies, and the importance of code reviews.
• Implement access control measures on your code repositories to restrict who can contribute or make changes to the codebase.
• Maintain regular backups of your critical data to ensure data recovery in case of a security incident.
• Use antivirus and intrusion detection systems to help identify and block malicious activity.
• Implement network segmentation to limit the spread of malware or malicious activities within your network.
• Enforce strong password management practices for your systems and accounts.
• Implement MFA wherever possible to add an extra layer of security.