- The attackers exploit the Docker APIs presented to implement cryptojackers and scan for more objectives
- Malware installs persistence tools, includes inactive code for Telnet and Chrome port attacks, and can evolve to a botnet
- Akamai urges to isolate Docker, limit the services set out and more
Cybercounts are pointing to the Docker APIs presented to install cryptojackers, scan the Internet to get more potential victims and possibly even build a botnet.
Recently, Akamai security researchers wrote an in -depth report on a new campaign, apparently a continuation of a similar one that was seen by Trend Micro at the end of June 2025.
The campaign revolves around servers with the Docker API exhibited in port 2375. Once identified, criminals create a new container and remove a script from a hidden website of Tor (.onion) browser.
Botnet cryptojacking
The script adjusts the configuration of the systems to establish persistence, install scanning software such as Masscan and drops additional malware. This malware then scan the Internet for other exported instances, repeating the infection process.
Malware also has a code that could attack Telnet (Port 23) and the puro port of Chromium (9222). For the first, it would be weak routers and other brute force devices, while for the latter I could kidnap browser sessions and steal cookies and other data.
These parties are not yet active, but the code suggests that they can be enabled later, the researchers said.
At this time, the campaign is mainly cryptojacking: the instances are kidnapped to extract the monero cryptocurrency. But the additional code suggests that the attackers want to expand it in a botnet, which could steal data or launch large -scale ddos attacks.
To prevent and mitigate these attacks, Akamai suggests four things that the entire IT team can do. First, they must isolate the Docker environment from other parts of the network, since this limits the ability of the attackers to move laterally. They must also ensure exposing as many services as possible to the Internet.
“This malware explodes ports 2375, 9222 and 23 by accessing these from the Internet, and blocking such access can fully mitigate the threat,” they said. In addition, when the Port of Chrome Treator (9222) is used, IT equipment must use specific remote IP addresses instead of 0.0.0.0. And finally, when installing a new device, they must ensure change the predetermined credentials to something stronger.
Through The hacker news
