Campaign exploits misconfigured Docker APIs to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency.
Hackers behind a cryptomining campaign have managed to avoid detection since 2019. The attacks exploited misconfigured Docker APIs that allowed them to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency, researchers said.
The attack technique is script-based and dubbed “Autom”, because it exploits the file “autom.sh”. Attackers have consistently abused the API misconfiguration during the campaign’s active period, however the evasion tactics have varied – allowing adversaries to fly under the radar, wrote Aquasec’s research arm Team Nautilus in a report published Wednesday.
Attackers hit honeypots set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021 before researchers began writing up their report in October, researchers said. Researchers also report attacks on honeypots decreased significantly this year, while overall targeting of poorly configured Docker APIs did not, according to a Shodan search, researchers noted.
“This decrease in attacks on our honeypots might imply that the attackers identified them and therefore reduced the volume of their