Aqua Security Specialists report attacksstarting in the last few months. Unknown attackers scan the network for Docker servers using API ports that are open to anyone without passwords. Such unprotected hosts are eventually compromised: they install a mining malware called Kinsing.
Researchers write that the attacks began last year and continue to this day. Moreover, these attacks are only one of the items in the long list of malicious campaigns aimed at Docker. Since these systems in case of hacking provide hackers with unhindered access to huge computing resources.
According to experts, when hackers find a Docker instance with an open API port, they use this access to roll out the Ubuntu container, where they download and install Kinsing malware.
The main goal of this malware is to mine cryptocurrency on a hacked Docker, but the malware has additional functions. So, among them, the execution of scripts that delete other malicious programs can work locally, and also collect local SSH credentials and try to continue distribution to the container network of the company to infect other cloud systems with the Kinsing miner.
As Kinsing attacks continue today, Aqua Security recommends companies check Docker’s security and ensure that no administrative APIs are accessible from outside. Such endpoints should be located behind a firewall or VPN (if necessary, so that they are accessible from the Internet), and also disconnected if they are not used.