Researchers have found a malware operation in the wild targeting docker servers. Dubbed Kinsing, the malware is actively targeting Docker servers with exposed API ports.
Reportedly, the security team from Aqua Security, have found an active malware campaign targeting Docker servers. As elaborated in their blog post, the malware dubbed Kinsing is targeting Docker servers with exposed APIs in the wild. This allows the attackers to install cryptominers and exploit the infected servers to spread the infection.
As stated by the researchers,
While the detailed technical analysis of the attack is available in the researchers’ post, here is a brief.
The attack begins when the attackers detect an unprotected open Docker API port. They then instantiate an Ubuntu container with an entry point to download a shell script d.sh from either of their three IP addresses. This shell script performs various activities facilitating the execution of malware. The same also downloads and runs the Kinsing malware.