Security News > 2022 > September > Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies
Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.
The Kinsing actors have also been involved in campaigns against container environments via misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently spread the malware to other containers and hosts.
The latest wave of attacks entails the actor weaponizing CVE-2020-14882, a two-year-old remote code execution bug, against unpatched servers to seize control of the server and drop malicious payloads.
"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script to a C2 server," Aqua Security researcher Assaf Morag said.
Two other attacks mounted by the group entail the exploitation of exposed Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.
TeamTNT's targeting of Docker REST APIs has been well-documented over the past year.
News URL
https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html
Related news
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-10-21 | CVE-2020-14882 | Unspecified vulnerability in Oracle Weblogic Server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). | 0.0 |