Researchers at cybersecurity company Imperva have published a report detailing a vulnerability in a series of servers belonging to application software container maker Docker. While the report details a number of malicious activities that could be accomplished with a hacked server, Imperva has found that the majority of bad actors are mining Monero.
Docker containers package together code and the links that are dependent on that code in order to improve the speed of applications when they're being moved from one computer to another. According to Imperva's report, companies using these containers can gain access through a remote API, which gives the user the ability to change the state of their container. Imperva reports that a vulnerability in the remote API allows any bad actor to gain control of any container that is "(1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access."
Once a bad actor has access to the container, they're able to launch more attacks on different containers, create a botnet, host services for phishing campaigns, steal credentials and data, and pivot attacks to the company's internal network. But that's what bad actors could be doing, not necessarily what they are doing.
According to Imperva, 3,822 Docker containers are vulnerable because of the misconfigured remote API, 400 of which are actually exposed and accessible by the public. Most members of the public who have gained access are using the containers to run "a cryptocurrency miner for a currency called Monero."
The malicious mining of Monero isn't new in the cryptosphere. In January, researchers Sergio Pastrana and Guillermo Suarez-Tangil, from Universidad Carlos III de Madrid and King's College London, respectively, published a report estimating that hackers have mined at least 4.32 percent of the total Monero in circulation. The researchers assert that at least 2,218 active malicious mining campaigns have gathered roughly 720,000 Monero (worth about $33.8 million at time of press), with a single campaign having mined more than 163,000 Monero (worth about $7.6 million at time of press).
Leading up to its March 9 network hard fork, Monero itself has been in whatever the unfortunate version of a spotlight is. Last week, Coinhive announced it would be discontinuing its mining operation services. Dubbed "malvertising," Coinhive's Monero mining software could be used to mine the cryptocurrency through hijacked web browsers. More recently, a reddit user claimed a bug in their hardware wallet caused them to lose around 1,680 Monero.
As for Imperva's recent findings, the cybersecurity company suggests Docker container users work diligently to create security controls that allow only trusted sources to interact with the remote API.