A recent report reveals the well-known crypto mining botnet LemonDuck can target Docker to secretly mine cryptocurrency on the Linux platform. LemonDuck targets Microsoft Exchange servers to mine crypto, escalate privileges and move sideways in compromised networks.

It takes advantage of Docker, a mainstream platform used for building, running and managing containerized workloads. Since Docker runs container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Attackers can then exploit this API to run a hidden crypto miner inside an attacker-controlled container.

Crypto boom brings risk

The crypto boom has led to a notable rise in illicit mining. According to a Google Threat Horizon report, 86% of compromised Google Cloud instances were used to perform crypto mining. Using someone else’s device without their permission to do this is also referred to as cryptojacking.

The LemonDuck botnet targets Docker to mine crypto on Linux systems. LemonDuck also monetizes its efforts via multiple campaigns at the same time to mine crypto such as Monero.

Docker-related risk

As a container workload orchestrator, Docker provides APIs to help with automation. Docker APIs can be used with local Linux sockets or daemons (the default port is 2375).

The threat report explains that since Docker mostly runs container workloads in the cloud, a cloud instance vulnerability can expose Docker APIs. From there, an attacker can exploit the exposed API to cryptojack from an infected container. Attackers can also interfere with containers by abusing privileges, misconfigurations and vulnerabilities found in the container runtime.

How LemonDuck works

According to the report, LemonDuck runs infected containers on an exposed Docker API. It does so by using a custom Docker ENTRYPOINT to download a ‘core.png’ image file disguised as Bash script.

Researchers detected multiple campaigns running via the domain targeting Windows and Linux platforms at the same time. LemonDuck also implements a crypto mining proxy pool. Proxy pools obscure the actual crypto wallet address.

The threat report states that rather than scanning public IP ranges for at-risk attack surfaces, LemonDuck attempts to move sideways by searching for SSH keys. This method of avoiding detection sets LemonDuck apart from other malicious botnets. Once it finds SSH keys, the attacker uses the keys to log in to access servers and run scripts.

How to thwart cryptojacking

Given the massive cloud and container use in enterprises, cryptojacking has proven to be a financially lucrative option for threat actors. Since cloud and container ecosystems heavily use Linux, people who run botnets like LemonDuck now target Docker for mining crypto on the Linux platform.

Some organizations mitigate API-related attacks by adopting a zero trust security model to verify and authorize API connections to an app or software. This approach ensures the interaction meets a security policy’s requirements. A zero trust security strategy also authenticates and authorizes API connections based on dynamic policies and context from as many data sources as possible.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…