InfoSecBulletin Cybersecurity for mankind
DataDog security researchers found that hackers are widely exploiting Docker Swarm, Kubernetes, and SSH servers. The newly discovered malware campaign focuses on “Docker” and “Kubernetes” environments and uses “Docker API” endpoint vulnerabilities as the ‘initial access vector.’
Hackers Exploiting Servers in Large Scale:
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack
Daily Security Update Dated: 21.01.2025
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems
CERT-UA alerts about “security audit” requests through AnyDesk
Oracle Critical Pre-Release update addressed 320 flaw
OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025
Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS
Intel holds 22 employees from one Bangladeshi University
VPN Surge 1500% in USA after TikTok Shut Down
MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology
The hackers install “cryptocurrency mining software” on the compromised containers and use them to launch follow-up attacks.
These malicious payloads target the Kubernetes kubelet API, allowing attackers to allocate more resources and deploy additional malware. The campaign also uses a Docker hub to share the malware.
Under the name “nmlmweb3,” there are usernames of repositories that are malicious.
The attackers begin by using exposed Docker APIs to create an “Alpine container” and run an “init.sh” initialization script.
This script installs the “XMRig miner,” applies “process hiding techniques,” and “fetches additional payloads.”
Lateral movement is enabled via scripts against “Kubernetes” ‘kube.lateral.sh,’ “Docker” ‘spread_docker_local.sh,’ and “SSH” ‘spread_ssh.sh.’
In addition to using tools like “masscan” and “zgrab,” the malware also scans the network for vulnerable endpoints.
The malware disables security features, adds mining programs, and tries to spread to other machines.
The campaign also targets the perpetrator’s use of cloud services, specifically “GitHub” and “Codespaces,” in search of credential files.
Throughout the attack, the malware not only employs numerous “evasion techniques” but also tries to implement various strategies to maintain “persistence mechanisms.”
In this event the threat actors employed a “multi-stage approach,” initially exploiting exposed “Docker API endpoints” to gain access.
They then deployed various malicious payloads like “init.sh,” “kube.lateral.sh,” and “setup_xmr.sh,” which facilitated the “lateral movement” and “resource hijacking.”
The main aim was to mine cryptocurrency using the XMRig miner for Monero. They used scripts like “ar.sh” and “pdflushs.sh” for persistence, modifying iptables rules, adjusting system settings, and installing SSH backdoors.
The campaign demonstrated sophisticated evasion techniques like using “libprocesshider” to hide malicious processes.
Infrastructure analysis revealed connections to solscan[. ]live, a domain used for command and control (C2) and payload delivery.
While some tactics have coincided with those attributed to the “TeamTNT,” a known threat group. But here the final attribution still remains “uncertain.”
This attack illustrates the need for strong security measures in protecting “Docker” and “Kubernetes” deployments.
