Misconfigured Docker remote API servers have been exploited by the threat actor Commando Cat to distribute cryptocurrency mining malware as part of an ongoing cryptojacking campaign, according to The Hacker News.
Commando Cat leveraged the vulnerable Docker instances to deliver the Docker image "cmd.cat/chattr" that not only allows operating system access but also the retrieval of a cryptominer binary believed to be the Kaiten malware-based ZiggyStarTux, a report from Trend Micro revealed. Utilizing Docker images for cryptojacking script distribution "allows attackers to exploit vulnerabilities in Docker configurations while evading detection by security software," said Trend Micro researchers.
The findings follow an Akamai report showing extensive Chinese attacks abusing the years-old ThinkPHP vulnerabilities, tracked as CVE-2018-20062 and CVE-2019-9082, to facilitate Dama web shell delivery.
"The recent attacks originated by a Chinese-speaking adversary highlight an ongoing trend of attackers using a fully fledged web shell, designed for advanced victim control," Akamai researchers noted.
