2 min Applications

Unpatched Docker hosts target of cryptojacking campaign

Unpatched Docker hosts target of cryptojacking campaign

Hackers have successfully attacked hundreds of unpatched Docker hosts. The cybercriminals were able to use the hosts to run cryptomining scripts. That puts security firm Imperva in a new report, reports Silicon Angle.

The new wave of attacks on Docker follows the announcement of a vulnerability in February, known as CVE-2019-5736. This is a RunC vulnerability. RunC is the underlying container runtime for Docker, Kubernetes and other container-dependent programs. RunC is an open source command line tool that allows you to create and run containers.

The vulnerability allows an attacker to obtain host root access in a Docker container. Then the attackers can do whatever they want, but they seem to do cryptojacking. In cryptojacking, the processor power is used in a system to reduce the cryptic currency for the attackers.


With the Shodan search engine, the researchers found 3,822 Docker hosts with their remote application programming interface open and public. The researchers tried to connect to the hosts via port 2735. This resulted in 400 successful connections.

“We discovered that most of the Docker remote API IPs exposed run a cryptographic currency miner for a currency called Monero,” according to the researchers. “Monero transactions have been embezzled, which means it’s virtually impossible to track the source, amount or destination of a transaction.”

The researchers warn that the same unpatched hosts are also vulnerable to botnet connections, data theft and the creation of host services for phishing campaigns.


The researchers recommend downloading and installing the latest security updates. On 12 February, a patch for vulnerability was rolled out. The researchers also conclude that Docker can be configured to protect it from such attacks.

“Exposing ports can be useful and may be required by third party apps, such as ‘portainer’, a management UI for Docker,” says the researchers. “But you have to be sure that you build in security mechanisms that only allow trusted sources to talk to the API.”

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.