Security News > 2023 > November > Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers
Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service botnet dubbed OracleIV. "Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv latest' and containing Python malware compiled as an ELF executable," Cado researchers Nate Bill and Matt Muir said.
The malicious activity starts with attackers using an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which, in turn, runs a command to retrieve a shell script from a command-and-control server.
Oracleiv latest purports to be a MySQL image for docker and has been pulled 3,500 times to date.
It's not just Docker, as vulnerable MySQL servers have emerged as the target of another DDoS botnet malware known as Ddostf, according to the AhnLab Security Emergency Response Center.
"Only DDoS commands can be performed on the new C&C server. This implies that the Ddostf threat actor can infect numerous systems and then sell DDoS attacks as a service."
Another DDoS malware that has resurfaced this year is XorDdos, which infects Linux devices and "Transforms them into zombies" for follow-on DDoS attacks against targets of interest.
News URL
https://thehackernews.com/2023/11/alert-oracleiv-ddos-botnet-targets.html
Related news
- New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet (source)
- New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries (source)
- Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)