TZUTC: -0500   
   MSGID: 1160.consprcy@1:2320/105 2c9d9863   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Misconfigured Docker instances are being hacked to mine cryptocurrency   
      
   Date:   
   Wed, 28 May 2025 14:25:00 +0000   
      
   Description:   
   A worm is spreading the miner autonomously, earning attackers plenty of Dero.   
      
   FULL STORY   
      
   Hackers are building a botnet out of misconfigured Docker API instances and   
   using it to mine the Dero cryptocurrency, experts have warned.    
      
   Security researchers from Kaspersky reported finding a container zombie   
   outbreak that started with an exposed Docker API.    
      
   This led to the running containers being compromised and new ones being   
   created not only to hijack the victims resources for cryptocurrency mining    
   but also to launch external attacks to propagate to other networks, they   
   explained.   
      
   In this zombie outbreak, the patient zero is a misconfigured API thats left   
   open to the internet. There, the attackers deploy a piece of malware    
   disguised as nginx, a high-performance, open-source web server and reverse   
   proxy server.    
      
   The malware scans for vulnerable instances and infects them, and then creates   
   new malicious containers and forces existing ones to mine Dero. At the same   
   time, it continues to spread to other systems.    
      
   This is a two-step process, Kaspersky explains. Nginx is the propagation tool   
   that scans for new victims, with the miner being a cloud-based solution. Both   
   components are written in Golang, which makes them rather difficult to    
   detect.    
      
   Kaspersky also says that unlike traditional cryptojacking campaigns, this one   
   doesnt rely on a command & control (C2) server, but instead spreads   
   autonomously, like a worm.    
      
   Users running Docker should check their API settings, and make sure its not   
   exposed to the internet. Furthermore, they should fortify their login   
   credentials, and perform regular security audits and monitoring.    
      
   While cybercriminals usually hijack servers to mine Monero with the XMRig,   
   this is not the first time researchers spotted Dero. According to The Hacker   
   News , CrowdStrike saw Kubernetes clusters being targeted back in March 2023,   
   and a subsequent iteration of the same campaign was spotted by Wiz in June   
   2024.    
      
   Similar to Monero, Dero is also a privacy-focused Layer 1 blockchain, built    
   to support decentralized applications (dApps) and smart contracts.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/misconfigured-docker-instances-are-bein   
   g-hacked-to-mine-cryptocurrency   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426