Exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads

Jun 19 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that upsets cybercriminals like #EURO2024 has upset expectations!!! โšฝ๐ŸŸ๐Ÿฅ…

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ˜ณ Exposed Docker APIs targeted by hackers for crypto mining โ›๏ธ

  • ๐Ÿ‘ฉโ€๐Ÿ’ป Malaysian hackers extradited by Singapore police for fraud โš ๏ธ

  • ๐Ÿ’ป ASUS patches critical bypass flaw in multiple router models ๐Ÿ“ก

Donโ€™t come a Docker ๐Ÿ™ˆ๐Ÿ™ˆ๐Ÿ™ˆ

๐Ÿšจ New Malware Targets Docker APIs for Cryptomining! ๐Ÿš€๐Ÿ’ป

Exposed Docker APIs Under Attack! ๐Ÿณ๐Ÿ”“ Cybersecurity researchers have discovered a new malware campaign targeting publicly exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads.

Campaign Tactics and Tools ๐Ÿ› ๏ธ๐Ÿ•ต๏ธ

  • Tools Deployed: Remote access tools capable of downloading more malware, and utilities for malware propagation via SSH.

  • Overlap: Shares tactics with the previous Spinning YARN campaign, which targeted Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking.

Attack Sequence ๐ŸŽฏ๐Ÿ”

  1. Target: Docker servers with exposed ports (port 2375).

  2. Steps: Begins with reconnaissance and privilege escalation, followed by exploitation.

  3. Payload Retrieval: Uses a shell script named "vurl" to fetch additional payloads.

Malicious Payloads ๐Ÿฆ ๐Ÿ“ฆ

  • vurl: A binary that overwrites its shell script version, using hard-coded C2 domains.

  • ar.sh: Installs tools to scan for vulnerable hosts, disables firewalls, and fetches the next payload, "chkstart."

  • chkstart: Configures the host for remote access and fetches additional tools like "m.tar" (XMRig miner) and "top."

  • Exeremo: Moves laterally to spread the infection and drops the "s.sh" script for installing scanning tools.

  • fkoths: A Go-based binary to erase traces and resist analysis.

Evolving Threats ๐Ÿ›ก๏ธ๐Ÿ”„

The campaign indicates continuous attacks on misconfigured Docker hosts for initial access. By porting functionalities from shell scripts to Go, attackers complicate the analysis process, pointing to experimentation with multi-architecture builds.

Stay Alert! ๐Ÿ”’

Ensure your Docker configurations are secure to prevent falling victim to such sophisticated attacks!

Instantly calculate the time you can save by automating compliance

Whether youโ€™re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Malaysian hackers: Singapore me ๐Ÿ˜ญ๐Ÿ˜ญ๐Ÿ˜ญ

๐Ÿšจ๐Ÿ•ต๏ธโ€โ™‚๏ธ Singapore's Malware Crackdown! ๐Ÿš”๐Ÿ‘จโ€โš–๏ธ

Major Extradition! ๐Ÿšจ๐ŸŒ The Singapore Police Force (SPF) has extradited two men from Malaysia for their role in a mobile malware scam since June 2023.

Malware Scams Unveiled ๐Ÿ•ต๏ธโ€โ™€๏ธ๐Ÿ“ฒ

The suspects, aged 26 and 47, used phishing campaigns to trick users into downloading malicious Android apps. These apps stole personal data and banking details, leading to financial losses.

Seven-Month Investigation ๐Ÿ”๐Ÿ‘ฎโ€โ™‚๏ธ

SPF, in collaboration with the Hong Kong Police Force and Royal Malaysia Police, linked the men to a syndicate behind these scams. The duo operated servers to infect phones and control them, enabling bank account compromises.

How the Scam Worked ๐Ÿ“ฑ๐Ÿ’€

Malicious apps posed as discount offers and, once installed, granted scammers remote access. They used the app to monitor SMS, track devices, and capture sensitive data.

Arrests and Consequences ๐Ÿš“โš–๏ธ

One suspect faces up to 7 years in prison and a $50,000 fine, while the other faces up to 10 years and a $500,000 fine. Taiwan Police also arrested four others involved in similar scams.

Operation DISTANTHILL Success ๐ŸŒ๐Ÿ‘

A total of 16 cyber criminals were arrested, and assets worth $1.33 million seized. Over 4,000 victims were defrauded.

US Dark Web Bust ๐Ÿ’ป๐Ÿ•ณ๏ธ

Separately, the U.S. Justice Department charged two men for operating Empire Market, a dark web marketplace trading $430 million in illegal goods. The operation ran from 2018 to 2020, leading to significant seizures and arrests.

Stay safe online! ๐Ÿ›ก๏ธ๐Ÿ”’

Looks a bit ASUSipicious ๐Ÿ‘€๐Ÿ‘€๐Ÿ‘€

๐Ÿšจ๐Ÿ”ง Critical ASUS Router Security Update! ๐Ÿ”ง๐Ÿ›ก๏ธ

Major Vulnerability Alert! โš ๏ธ๐Ÿ” ASUS has released software updates to fix a critical security flaw (CVE-2024-3080) in its routers, which could allow hackers to bypass authentication. This flaw has a CVSS score of 9.8/10.

Whatโ€™s the Issue? ๐Ÿค”๐Ÿ“ถ

  • Flaw: Authentication bypass

  • Impact: Remote attackers can log in without credentials

  • Reported by: Taiwan Computer Emergency Response Team (TWCERT/CC)

Additional Security Fixes ๐Ÿ› ๏ธ๐Ÿ›ก๏ธ

ASUS also patched a high-severity buffer overflow flaw (CVE-2024-3079, CVSS score: 7.2). This flaw could let attackers with admin privileges execute arbitrary commands.

Potential Exploit Chain ๐Ÿšจ๐Ÿ”—

Attackers could combine CVE-2024-3080 and CVE-2024-3079 to bypass authentication and run malicious code.

Affected Models ๐Ÿ“๐Ÿ“ถ

  • ZenWiFi XT8 (Fixed in 3.0.0.4.388_24621)

  • ZenWiFi XT8 V2 (Fixed in 3.0.0.4.388_24621)

  • RT-AX88U (Fixed in 3.0.0.4.388_24209)

  • RT-AX58U (Fixed in 3.0.0.4.388_24762)

  • RT-AX57 (Fixed in 3.0.0.4.386_52303)

  • RT-AC86U (Fixed in 3.0.0.4.386_51925)

  • RT-AC68U (Fixed in 3.0.0.4.386_51685)

Previous Patch ๐Ÿšจ๐Ÿ”ง

Earlier this year, ASUS fixed another critical flaw (CVE-2024-3912, CVSS score: 9.8) that allowed remote file uploads and command execution.

User Action Required ๐Ÿšจ๐Ÿ”„

Update your routers to the latest version to protect against these vulnerabilities!

Stay secure! ๐Ÿ›ก๏ธ๐Ÿ’ป

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles