Security News > 2024 > January > Docker hosts hacked in ongoing website traffic theft scheme
A new campaign targeting vulnerable Docker services deploys an XMRig miner and the 9hits viewer app on compromised hosts, allowing a dual monetization strategy.
9hits is a web traffic exchange platform where members can drive traffic to each others' sites.
In a campaign discovered by Cado Security, attackers deploy the 9hits viewer app on compromised Docker hosts to generate credits for themselves, exploiting the resources of those systems to drive traffic as part of the 9hits traffic exchange system.
While it's not clear how the threat actors find systems to breach, Cado believes the attackers likely use a network scanning product like Shodan to discover vulnerable servers and breach them to deploy malicious containers via the Docker API. The containers are in images sourced from Dockerhub to reduce suspicion.
The spreader script captured in Cado's Docker honeypot uses Docker's CLI to set the DOCKER HOST variable and uses typical API calls to pull and run the containers.
"The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left," comments Cado Security in the report.