July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
FormBook Malware – Active IOCs
October 1, 2024CVE-2024-45519 – Zimbra Collaboration Vulnerability Exploit in the Wild
October 1, 2024FormBook Malware – Active IOCs
October 1, 2024CVE-2024-45519 – Zimbra Collaboration Vulnerability Exploit in the Wild
October 1, 2024
Severity
High
Analysis Summary
The recently uncovered cryptojacking campaign primarily targets the Docker Engine API exploiting it to create a botnet of Docker instances controlled by attackers through Docker Swarm. By leveraging the Swarm's orchestration features, the attackers use the compromised Docker environments for command-and-control (C2) purposes.
According to the report, Initial access is achieved by identifying exposed and unauthenticated Docker API endpoints using scanning tools like masscan and ZGrab. Once access is gained, an Alpine container is deployed to run a shell script which downloads and installs the XMRig cryptocurrency miner. The rootkit libprocesshider is then used to conceal the mining process from system monitoring tools.
The campaign also includes mechanisms for lateral movement to other systems running Docker, Kubernetes, or SSH services. It employs multiple shell scripts retrieved from a remote server to scan the network and spread to other vulnerable hosts. The script spread_docker_local.sh scans for specific Docker-related ports, while spread_ssh.sh compromises SSH servers by adding new users and SSH keys to enable persistent remote access. The threat actors use these scripts to propagate the malware in a worm-like fashion enabling rapid spread across affected environments.
To maintain control, the attackers manipulate Docker Swarm configurations. One of the scripts, TDGINIT.sh, forces Docker hosts to join the attackers’ Swarm turning compromised systems into a botnet for further exploitation. Additionally, the attackers evade detection by modifying iptables rules, clearing logs and using other stealth techniques. The campaign also targets cloud credentials by searching for SSH and cloud service credential files further enabling the attackers to extend their reach into AWS, Google Cloud and Samba environments.
This attack highlights the persistent vulnerability of exposed Docker and Kubernetes services to cryptojacking. By exploiting poorly secured Docker API endpoints, attackers can rapidly propagate malware at scale. The campaign is linked to the threat group TeamTNT, known for cryptojacking attacks. As cloud-based environments remain a lucrative target for threat actors, security professionals must ensure proper authentication and restricted access to cloud infrastructure to mitigate such attacks.
Impact
- Gain Access
- Remote Code Execution
- Financial Loss
Indicators of Compromise
Domain Name
- solscan.live
IP
- 164.68.106.96
- 45.9.148.35
MD5
- 82874f856a71a751f0bdb1ce7a3b7bb6
- e10e3934d7659e00cc7f47b569af9ff5
- b62ce36054a7e024376b98df7911a5a7
SHA-256
- 505237e566b9e8f4a83edbe45986bbe0e893c1ca4c5837c97c6c4700cfa0930a
- c5391314ce789ff28195858a126c8a10a4f9216e8bd1a8ef71d11c85c4f5175c
- 0af1b8cd042b6e2972c8ef43d98c0a0642047ec89493d315909629bcf185dffd
SHA-1
- f4613337a3a7851d3892d0ca735bdb8c93c5d142
- 02b71d23d5b26008dfb54a52fc3160b9e7f1296c
- efc0142857d1d8ee454286fb1b4587dad6762e0c
URL
- http://45.9.148.35/aws
- https://solscan.live/bin/64bit/xmrig
- https://solscan.live/bin/pnscan_1.12+git20180612.orig.tar.gz
- https://solscan.live/data/docker.container.local.spread.txt
- https://solscan.live/scan_threads.dat
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Disable unauthenticated access to Docker API endpoints.
- Use firewalls to restrict API access to trusted IPs only.
- Ensure Docker is running in a secure environment and not exposed to the public internet.
- Implement strong authentication mechanisms (such as TLS certificates) for Docker and Kubernetes services.
- Enforce multi-factor authentication (MFA) for SSH access.
- Use role-based access control (RBAC) for container orchestration platforms like Kubernetes and Docker Swarm.
- Regularly patch and update Docker, Kubernetes, and other infrastructure-related services to protect against known vulnerabilities.
- Apply security updates to operating systems and software dependencies to prevent exploitation.
- Use network segmentation to isolate Docker and Kubernetes environments from untrusted networks.
- Monitor network traffic for suspicious activity, such as scanning attempts on Docker-related ports (2375, 2376, 2377, 4244, 4243).
- Set up intrusion detection/prevention systems (IDS/IPS) to detect malicious lateral movement.
- Limit the use of root privileges in containers and ensure containers are run with the least amount of privilege necessary.
- Regularly review and audit user and application permissions to detect and remove unnecessary privileged access.
- Monitor CPU and GPU usage for spikes that may indicate unauthorized cryptocurrency mining.
- Deploy endpoint detection and response (EDR) tools to identify and stop cryptojacking activities.
- Scan for and remove malware, such as the XMRig miner and libprocesshider rootkit.
- Disable SSH access where it is unnecessary or limit it to key-based authentication.
- Regularly audit SSH keys and users to ensure that only authorized personnel have access.
- Use tools like Fail2Ban to prevent brute force attempts on SSH services.
- Conduct regular security audits on Docker, Kubernetes, and other critical infrastructure configurations.
- Perform vulnerability scans to identify exposed ports or misconfigurations that could be exploited.
- Enable logging for Docker, Kubernetes, and SSH to track suspicious behavior and anomalies.
- Use centralized logging solutions to correlate events and detect potential security breaches in real-time.