TZUTC: -0500
MSGID: 1160.consprcy@1:2320/105 2c9d9863
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
Misconfigured Docker instances are being hacked to mine cryptocurrency

Date:
Wed, 28 May 2025 14:25:00 +0000

Description:
A worm is spreading the miner autonomously, earning attackers plenty of Dero.

FULL STORY

Hackers are building a botnet out of misconfigured Docker API instances and
using it to mine the Dero cryptocurrency, experts have warned. 

Security researchers from Kaspersky reported finding a container zombie
outbreak that started with an exposed Docker API. 

This led to the running containers being compromised and new ones being
created not only to hijack the victims resources for cryptocurrency mining 
but also to launch external attacks to propagate to other networks, they
explained.

In this zombie outbreak, the patient zero is a misconfigured API thats left
open to the internet. There, the attackers deploy a piece of malware 
disguised as nginx, a high-performance, open-source web server and reverse
proxy server. 

The malware scans for vulnerable instances and infects them, and then creates
new malicious containers and forces existing ones to mine Dero. At the same
time, it continues to spread to other systems. 

This is a two-step process, Kaspersky explains. Nginx is the propagation tool
that scans for new victims, with the miner being a cloud-based solution. Both
components are written in Golang, which makes them rather difficult to 
detect. 

Kaspersky also says that unlike traditional cryptojacking campaigns, this one
doesnt rely on a command & control (C2) server, but instead spreads
autonomously, like a worm. 

Users running Docker should check their API settings, and make sure its not
exposed to the internet. Furthermore, they should fortify their login
credentials, and perform regular security audits and monitoring. 

While cybercriminals usually hijack servers to mine Monero with the XMRig,
this is not the first time researchers spotted Dero. According to The Hacker
News , CrowdStrike saw Kubernetes clusters being targeted back in March 2023,
and a subsequent iteration of the same campaign was spotted by Wiz in June
2024. 

Similar to Monero, Dero is also a privacy-focused Layer 1 blockchain, built 
to support decentralized applications (dApps) and smart contracts. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/misconfigured-docker-instances-are-bein
g-hacked-to-mine-cryptocurrency

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428
SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200
SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426