A group of hackers is scanning the entire Internet to find vulnerabilities in certain systems that use enterprise sandbox software. They then use the vulnerabilities to minimise cryptographic currency, in this case the Monero cryptographic currency.
According to security researchers at Bad Packets, the scans identify vulnerabilities that allow the hackers to run malicious code that places a cryptographic currency miner on a company’s Docker instances.
Troy Mursch, researcher at Bad Packets, told ZDNet that this approach is quite unique, because the hacking campaign takes place on a very large scale. Currently, at least 59,000 unique IP networks have been identified as part of the attack surface.
The miner being injected is called XMRig and mines Monero coins. In the first two days that the malware was active, just over 14.8 Monero was mined, which amounts to about 672 euros. Depending on how long it takes before the miner can be eliminated and how many infections are yet to take place, this amount can become much higher still.
Advanced additional features
Another striking feature of the malware is that it has a self-defence mechanism, which means that monitoring software, for example, is uninstalled. Furthermore, certain processes related to other cryptomining botnets are also uninstalled, so that the competition is eliminated.
In addition, hackers create backdoor accounts on hacked containers, after which SSH keys are left behind. This provides a way to easily enter and remotely control infected bots. Mursch advises users to immediately check whether API endpoints of their Docker instances are openly accessible on the Internet, in order to prevent more problems.