TZUTC: -0500
MSGID: 1484.consprcy@1:2320/105 2d2812c4
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Hackers abuse TOR network and misconfigured Docker APIs to steal crypto - so
keep an eye on your wallet

Date:
Wed, 10 Sep 2025 14:00:00 +0000

Description:
A major cryptojacking campaign, possibly turning into a botnet, was seen in
the wild.

FULL STORY

Cybercriminals are targeting exposed Docker APIs to install cryptojackers,
scan the internet for more potential victims, and possibly even build out a
botnet. 

Recently, security researchers from Akamai wrote an in-depth report about a
new campaign, seemingly a continuation of a similar one that was spotted by
Trend Micro in late June 2025. 

The campaign revolves around looking for servers with Dockers API exposed on
port 2375. Once identified, the crooks create a new container and pull down a
script from a hidden TOR browser (.onion) website.

Cryptojacking botnet 

The script tweaks systems settings to establish persistence, installs 
scanning software like Masscan, and drops additional malware . This malware
then scans the internet for other exposed instances, repeating the infection
process. 

The malware also has code that could attack Telnet (port 23) and Chromiums
debugging port (9222). For the former, it would brute-force weak routers and
other devices, while for the latter it could hijack browser sessions and 
steal cookies and other data. 

These parts arent active yet, but the code suggests they may be enabled 
later, the researchers said. 

Right now, the campaign is mostly about cryptojacking - the instances are
hijacked to mine the Monero cryptocurrency. But the extra code hints that
attackers want to expand it into a botnet, which could steal data or launch
large-scale DDoS attacks . 

To prevent and mitigate these attacks, Akamai suggests four things every IT
team can do. First, they should isolate the Docker environment from other
parts of the network, since this limits the ability of the attackers to move
laterally. They should also make sure they expose as few services as possible
to the internet. 

This malware exploits the ports 2375, 9222, and 23 by accessing these from 
the internet, and blocking such access can totally mitigate the threat, they
said. Furthermore, when using the Chrome debugger port (9222), IT teams 
should use specific remote IP addresses instead of 0.0.0.0. and finally, when
installing a new device, they should make sure to change the default
credentials to something stronger. 

 Via The Hacker News

======================================================================
Link to news story:
https://www.techradar.com/pro/security/hackers-abuse-tor-network-and-misconfig
ured-docker-apis-to-steal-crypto-so-keep-an-eye-on-your-wallet

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426