Illicit Bitcoin mining malware detected by researchers

Cybersecurity researchers at Aqua Security have identified a campaign that targets thousands of Docker servers daily with a Bitcoin (BTC) miner. In a recent report published by them, the firm issued a warning regarding the attack, which has “been going on for months, with thousands of attempts taking place nearly on a daily basis.”

The warning reads:

These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.

The scope and ambition reveal that the fraudulent Bitcoin mining campaign is not just “an improvised endeavor” as the people behind it must be relying on major infrastructure and resources.

Aqua Security has spotted the malware as a Golang-based Linux agent, known as Kinsing. The malware propagates by exploiting misconfigurations in Docker API ports. It runs an Ubuntu container, which downloads Kinsing and then tries to spread the malware to further hosts and containers. According to the researchers, the campaign’s goal is to deploy a crypto miner on the compromised host. This was planned to achieve by first exploiting the open port and then carrying through with a series of evasion tactics.

The team at Aqua Security has been able to provide valuable, detailed insight into the aspects of the malware campaign. They claim it to be a “growing threat to cloud-native environments.” The researchers noted that the attackers have been stepping up their game to carry out sophisticated and ambitious attacks. To fight this, enterprise security teams need to build a robust strategy to mitigate new risks. 

Aqua recommends security teams to locate all cloud resources and classify them in a logical structure, review their authorization and authentication policies, and adjust basic security policies based on the principle of “least privilege.” Teams are also advised to investigate logs to identify user actions that register as anomalies and implement cloud security tools to strengthen their strategy.