Tuesday , January 28 2025
Hackers

DataDog research
Hackers to exploit Docker, Kubernetes & SSH Servers large scale

DataDog security researchers found that hackers are widely exploiting Docker Swarm, Kubernetes, and SSH servers. The newly discovered malware campaign focuses on “Docker” and “Kubernetes” environments and uses “Docker API” endpoint vulnerabilities as the ‘initial access vector.’

Hackers Exploiting Servers in Large Scale:

Apple fixed year’s first actively exploited zero-day flaw

Apple has issued security updates to address a zero-day flaw affecting iPhone users that is currently being exploited in attacks....
Read More
Apple fixed year’s first actively exploited zero-day flaw

DeepSeek Hit by massive Cyber Attack, Limits Registrations

DeepSeek, a Chinese AI startup that recently surpassed OpenAI's ChatGPT as the top free app on Apple's App Store in...
Read More
DeepSeek Hit by massive Cyber Attack, Limits Registrations

GitHub Desktop Vuln Credential Leaks via Malicious Remote URLs

Multiple security vulnerabilities have been found in GitHub Desktop and other Git projects. If exploited, these could allow attackers to...
Read More
GitHub Desktop Vuln Credential Leaks via Malicious Remote URLs

Burp Suite 2025.1 released: Featuring Intruder Capabilities & Bug Fixes

PortSwigger has launched Burp Suite 2025.1, adding new features and improvements to enhance usability and efficiency for penetration testers. This...
Read More
Burp Suite 2025.1 released: Featuring Intruder Capabilities & Bug Fixes

UnitedHealth confirms 190 million impacted by 2024 data breach

UnitedHealth confirmed that the ransomware attack on its Change Healthcare unit last February impacted about 190 million Americans, nearly double...
Read More
UnitedHealth confirms 190 million impacted by 2024 data breach

Registration Open For BCS CTF 2025

So, to test your cyber security skill, here is another chance to do that. Bangladesh computer society (BCS) is going...
Read More
Registration Open For BCS CTF 2025

New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

Sygnia's recent report highlights the changing strategies of ransomware groups targeting VMware ESXi appliances. These attackers exploit vital virtual infrastructure...
Read More
New Ransomware Tactics Target VMware ESXi Via SSH Tunneling

Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass

An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting...
Read More
Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass

CISA Releases 6 ICS Advisories Detailing Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released 6 advisories for Industrial Control Systems (ICS), highlighting vulnerabilities in various...
Read More
CISA Releases 6 ICS Advisories Detailing Security Issues

Account Credentials for Security Vendors Found on Dark Web: Cyble Report

# "While many leaked security credentials belong to customers, some exposed sensitive accounts suggest that security vendors too have been...
Read More
Account Credentials for Security Vendors Found on Dark Web: Cyble Report

The hackers install “cryptocurrency mining software” on the compromised containers and use them to launch follow-up attacks.

These malicious payloads target the Kubernetes kubelet API, allowing attackers to allocate more resources and deploy additional malware. The campaign also uses a Docker hub to share the malware.

Under the name “nmlmweb3,” there are usernames of repositories that are malicious.

The attackers begin by using exposed Docker APIs to create an “Alpine container” and run an “init.sh” initialization script.

    (Attack Flow (Source – DATADOG Security Labs)

This script installs the “XMRig miner,” applies “process hiding techniques,” and “fetches additional payloads.”

Lateral movement is enabled via scripts against “Kubernetes” ‘kube.lateral.sh,’ “Docker” ‘spread_docker_local.sh,’ and “SSH” ‘spread_ssh.sh.’

In addition to using tools like “masscan” and “zgrab,” the malware also scans the network for vulnerable endpoints.

The malware disables security features, adds mining programs, and tries to spread to other machines.

The campaign also targets the perpetrator’s use of cloud services, specifically “GitHub” and “Codespaces,” in search of credential files.

Throughout the attack, the malware not only employs numerous “evasion techniques” but also tries to implement various strategies to maintain “persistence mechanisms.”

In this event the threat actors employed a “multi-stage approach,” initially exploiting exposed “Docker API endpoints” to gain access.⁤

They then deployed various malicious payloads like “init.sh,” “kube.lateral.sh,” and “setup_xmr.sh,” which facilitated the “lateral movement” and “resource hijacking.” ⁤⁤

The main aim was to mine cryptocurrency using the XMRig miner for Monero. They used scripts like “ar.sh” and “pdflushs.sh” for persistence, modifying iptables rules, adjusting system settings, and installing SSH backdoors.

The campaign demonstrated sophisticated evasion techniques like using “libprocesshider” to hide malicious processes.

Infrastructure analysis revealed connections to solscan[. ]live, a domain used for command and control (C2) and payload delivery.

⁤While some tactics have coincided with those attributed to the “TeamTNT,” a known threat group. But here the final attribution still remains “uncertain.” ⁤

This attack illustrates the need for strong security measures in protecting “Docker” and “Kubernetes” deployments.

Check Also

Cyberattack

Cyberattack Hit Japan Airlines Systems, delaying flights

Japan Airlines reported a cyberattack on Thursday that delayed over 20 domestic flights. The airline …

Leave a Reply

Your email address will not be published. Required fields are marked *