A major shift in the malware landscape was noticed towards the end of 2017. Due to the growing popularity of cloud-based technologies, gangs of threat actors and cybercriminals began targeting Docker and Kubernetes systems.

A majority of these attacks followed a very simple pattern where cybercriminals skimmed for misconfigured systems that had admin interfaces uncovered online in order to take over servers and deploy cryptocurrency-mining malware.

For the last three years, these attacks have escalated, and new malware strains and hackers targeting Docker are now being found on a daily basis.

In spite of the fact that malware attacks on Docker servers are now routine, several web developers and infrastructure engineers have not so far learned their lesson and are still misconfiguring Docker servers, leaving them vulnerable to attacks.

One of the commonest errors is leaving Docker remote administration API endpoints susceptible online without verification.

For a number of years, malware like Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT, and others, have scanned for Docker servers that left the Docker management API exposed online and then exploited it to deploy malicious OS images to plant backdoors or install cryptocurrency miners.

The latest of these malware strains was revealed last week by Chinese security firm Qihoo 360. Named Blackrota, this is a modest backdoor trojan that is fundamentally a basic version of the CarbonStrike beacon executed in the Go programming language.

Only a Linux version was exposed until now, and it is uncertain how this malware is being used. Investigators don’t know if a Windows version also exists, if Blackrota is being used for cryptocurrency mining, or if it’s used for running a DDoS botnet on top of influential cloud servers.

Leave a Reply

Your email address will not be published. Required fields are marked *