Security News > 2022 > September > Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies
Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware.
The Kinsing actors have also been involved in campaigns against container environments via misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently spread the malware to other containers and hosts.
The latest wave of attacks entails the actor weaponizing CVE-2020-14882, a two-year-old remote code execution bug, against unpatched servers to seize control of the server and drop malicious payloads.
"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script to a C2 server," Aqua Security researcher Assaf Morag said.
Two other attacks mounted by the group entail the exploitation of exposed Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.
TeamTNT's targeting of Docker REST APIs has been well-documented over the past year.
News URL
https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.html
Related news
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- Hackers target Docker, Hadoop, Redis, Confluence with new Golang malware (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- Targus discloses cyberattack after hackers detected on file servers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-21 | CVE-2020-14882 | Unspecified vulnerability in Oracle Weblogic Server Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). | 10.0 |