Security News > 2022 > June > WatchDog hacking group launches new Docker cryptojacking campaign
The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software.
The hacking group targets exposed Docker Engine API endpoints and Redis servers and can quickly pivot from one compromised machine to the entire network.
Researchers at Cado Labs discovered the new hacking campaign, analyzing the threat actor's distinctive tactics, and are confident about their attribution to WatchDog.
WatchDog launches the attacks by compromising misconfigured Docker Engine API endpoints with an open port 2375, giving them access to the daemon in default settings.
The second script, "d.sh", is similar, but instead of Redis, it targets other Docker Engine API endpoints and infects them with a laced Alpine Linux container that runs the initial access script, "Cronb.sh".
Many of the scripts used by WatchDog contain logos and references for a rival hacking group known as TeamTNT, indicating that WatchDog likely stole the tools from their rival.