216.73.217.139

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

· Published 25/09/2024 12:43 · Modified 25/09/2024 13:10

Export JSON

Essential information

Published
25/09/2024 12:43
Modified
25/09/2024 13:10
Tags
2024-09-25 container security cryptojacking docker docker swarm kubernetes xmrig
Related entities
41 observables, 18 techniques (mitre), 1 malware

Description

A new campaign targeting Engine API has been discovered, with the ability to move laterally to , , and SSH servers. The attackers exploit exposed API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Hub to host malicious images and leverage 's orchestration features for command and control purposes. The campaign employs various techniques for lateral movement, persistence, and evasion, including manipulating , exploiting ' kubelet API, and installing backdoors. While some indicators suggest a possible link to TeamTNT, there is insufficient evidence for definitive attribution.

External references