Ethical Hacking News
A growing threat of misconfigured Docker APIs has been discovered using Tor-based cryptojacking attacks. Cybersecurity experts warn about the dangers of segmenting networks, limiting exposure to services on the internet, and securing default credentials. The attack chain involves breaking into misconfigured Docker APIs to execute a new container and mount host file systems.
The latest cyber threat uses misconfigured Docker APIs to carry out cryptojacking attacks. A new strain of the campaign aims to set up a complex botnet and is using similar tooling as a previously disclosed malicious campaign. The attack chain involves breaking into Docker APIs, executing a container based on the Alpine image, and mounting the host file system. The attackers install tools such as masscan and torsocks to conduct reconnaissance and contact a command-and-control server. The malware includes an emoji suggesting it was crafted using a large language model (LLM). The attack also uses known ports, including Telnet and Chromium's remote debugging port, to spread and exfiltrate data. Cybersecurity experts emphasize the importance of segmenting networks, limiting exposure of services, and securing default credentials.
A recent report by cybersecurity researchers has shed light on a growing concern in the world of cyber threats. The attack, which involves misconfigured Docker APIs, has been expanding its reach through the use of the Tor network to carry out cryptojacking attacks. This latest variant of the campaign is designed to block other actors from accessing the Docker API from the internet.
The campaign was first uncovered by Akamai in late August 2025, and since then, it has been identified as using similar tooling to a previously disclosed malicious campaign that targeted exposed Docker instances. However, this new strain appears to have a different end goal, including possibly setting up the foundation of a complex botnet.
According to Yonatan Gilvarg, a security researcher who discovered the latest activity, the attack chain involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors running a Base64-encoded payload to download a shell script downloader from a .onion domain.
The script, besides altering SSH configurations to set up persistence, also installs other tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks to conduct reconnaissance, contact a command-and-control (C2) server, and download a compressed binary from a second .onion domain.
The first file that is downloaded is a dropper written in Go that includes the content it wants to drop, so it won't communicate out to the internet. Except for dropping another binary file, it parses the utmp file to find who is currently logged in to the machine.
Interestingly, the binary file's source code includes an emoji to depict users who are signed in to the system. This indicates that the artifact may have been crafted using a large language model (LLM). The dropper also launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection to those machines by repeating the same process of creating a container with the Base64 command.
Furthermore, the binary includes checks for two more ports: 23 (Telnet) and 9222 (remote debugging port for Chromium browsers), although the functionality to spread via those ports is yet to be fully fleshed out. The Telnet attack method entails using a set of known, default routers and device credentials to brute-force logins and exfiltrate successful sign-in attempts to a webhook site endpoint with details about the destination IP address and victim authentication credentials.
The use of Go library named chromedp in port 9222 highlights the growing threat of malicious applications utilizing web browsers as a medium for communication. This attack is particularly concerning because it leverages a known tool that was previously weaponized by North Korean threat actors to communicate with C2 servers and even by stealer malware to bypass Chrome's app-bound encryption, connect remotely to Chromium sessions, and siphon cookies and other private data.
Cybersecurity experts have emphasized the importance of segmenting networks, limiting exposure of services to the internet, and securing default credentials. By adopting these measures, organizations can significantly reduce their vulnerability to such threats.
In a separate development, cloud security firm Wiz has detailed an Amazon Simple Email Service (SES) campaign that leveraged compromised Amazon Web Services (AWS) access keys as a launchpad for a mass phishing attack. The attackers used the compromised key to access the victim's AWS environment, bypass SES's built-in restrictions, verify new 'sender' identities, and methodically prepare and conduct a phishing operation.
The emails targeted several organizations spanning multiple geographies and sectors, and employed tax-themed lures to redirect recipients to credential harvesting pages. Wiz researchers Itay Harel and Hila Ramati cautioned that if SES is configured in an account, attackers can send email from the verified domains, enabling phishing that looks like it came from the organization and can be used for spearphishing, fraud, data theft, or masquerading in business processes.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Tor-Based-Cryptojacking-Attack-Expands-Through-Misconfigured-Docker-APIs-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.html
Published: Tue Sep 9 07:15:30 2025 by llama3.2 3B Q4_K_M
