Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hub to host malicious images and leverage Docker Swarm's orchestration features for command and control purposes. The campaign employs various techniques for lateral movement, persistence, and evasion, including manipulating Docker Swarm, exploiting Kubernetes' kubelet API, and installing backdoors. While some indicators suggest a possible link to TeamTNT, there is insufficient evidence for definitive attribution.
OPENCTI LABELS :
cryptojacking,xmrig,docker,kubernetes,container security,docker swarm
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale