TZUTC: -0500   
   MSGID: 1484.consprcy@1:2320/105 2d2812c4   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Hackers abuse TOR network and misconfigured Docker APIs to steal crypto - so   
   keep an eye on your wallet   
      
   Date:   
   Wed, 10 Sep 2025 14:00:00 +0000   
      
   Description:   
   A major cryptojacking campaign, possibly turning into a botnet, was seen in   
   the wild.   
      
   FULL STORY   
      
   Cybercriminals are targeting exposed Docker APIs to install cryptojackers,   
   scan the internet for more potential victims, and possibly even build out a   
   botnet.    
      
   Recently, security researchers from Akamai wrote an in-depth report about a   
   new campaign, seemingly a continuation of a similar one that was spotted by   
   Trend Micro in late June 2025.    
      
   The campaign revolves around looking for servers with Dockers API exposed on   
   port 2375. Once identified, the crooks create a new container and pull down a   
   script from a hidden TOR browser (.onion) website.   
      
   Cryptojacking botnet    
      
   The script tweaks systems settings to establish persistence, installs    
   scanning software like Masscan, and drops additional malware . This malware   
   then scans the internet for other exposed instances, repeating the infection   
   process.    
      
   The malware also has code that could attack Telnet (port 23) and Chromiums   
   debugging port (9222). For the former, it would brute-force weak routers and   
   other devices, while for the latter it could hijack browser sessions and    
   steal cookies and other data.    
      
   These parts arent active yet, but the code suggests they may be enabled    
   later, the researchers said.    
      
   Right now, the campaign is mostly about cryptojacking - the instances are   
   hijacked to mine the Monero cryptocurrency. But the extra code hints that   
   attackers want to expand it into a botnet, which could steal data or launch   
   large-scale DDoS attacks .    
      
   To prevent and mitigate these attacks, Akamai suggests four things every IT   
   team can do. First, they should isolate the Docker environment from other   
   parts of the network, since this limits the ability of the attackers to move   
   laterally. They should also make sure they expose as few services as possible   
   to the internet.    
      
   This malware exploits the ports 2375, 9222, and 23 by accessing these from    
   the internet, and blocking such access can totally mitigate the threat, they   
   said. Furthermore, when using the Chrome debugger port (9222), IT teams    
   should use specific remote IP addresses instead of 0.0.0.0. and finally, when   
   installing a new device, they should make sure to change the default   
   credentials to something stronger.    
      
    Via The Hacker News   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/hackers-abuse-tor-network-and-misconfig   
   ured-docker-apis-to-steal-crypto-so-keep-an-eye-on-your-wallet   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426