A recent report from Palo Alto Networks revealed that cryptojacking is the most common cloud threat. A honeypot mimicking a misconfigured Docker daemon was deployed by Palo Alto Networks and the data collected between March and April was analyzed.
The findings
- Within a period of 50 days, the research group observed 33 different types of attacks, reaching a total of 850 attacks, implying that the honeypot was attacked around every 90 minutes.
- The attacks were regular and conducted by different threat actors. Some attackers designed their malware to detect other malware on the machine and stop them to have a monopoly on the targeted device.
- Some attacks were collecting information and sending it to a remote server or deploying tools, for example, a DDoS agent or a botnet agent on a misconfigured Docker daemon.
Other insights
The research team analyzed and highlighted the commonly used malware using the same data.
- Kinsing was the most common malware used in 360 attacks, followed by Cetus, TeamTNT Botnet A/B, and Miner A.
- From the five most common attacks, TeamTNT is responsible for Cetus and TeamTNT Botnet A/B.
- TeamTNT Botnet A/B are two different new variants with the goal of deploying a botnet and a malicious cryptominer. They steal AWS credentials and deploy ziggy (IRC agent).
- In addition, one of the variants can propagate through misconfigured Docker instances.
Conclusion
Misconfigured Docker daemons are a well-known security issue that has been actively exploited by cybercriminals for the past several years. Therefore, organizations hosting their data on Docker or other cloud-based platforms need to stay extra vigilant and follow security guidelines.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/6c07_shutterstock_1208845684.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/4e1f_shutterstock_530331409.jpg)
