Monero cryptominers hijack hundreds of unpatched Docker hosts

A recently-disclosed vulnerability in the containerisation platform is being exploited by cybercriminals to mine the (XMR) cryptocurrency on of servers.

Security company Imperva used Shodan to find open ports running , finding 3,822 on which the platform's remote API was publicly exposed.

Of these, around 400 had accessible IP addresses on port 2735/2736, the API's listening ports.  The majority turned out to be running cryptominers, with legitimate MySQL and Apache production servers on a smaller number.

Used to configure containers, Docker's API ports shouldn't be accessible externally. Combined with CVE-2019-5736, a critical root access vulnerability in Docker's default container runtime, runC, this will could quickly lead to a full compromise.

You might also like

Comments are closed.