Type
Campaign
Actors
Unknown
Pub. date
September 23, 2024
Initial access
Software misconfig
Impact
Resource hijacking
Observed techniques
Network lateral movementMisconfigured Docker abuse
Observed tools
MasscanZgrab
Targeted technologies
DockerKubernetes
References
https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/
Status
Finalized
Last edited
Jan 8, 2025 3:49 PM
Datadog Security Research has uncovered a sophisticated cryptojacking campaign targeting microservice technologies, specifically Docker and Kubernetes. The threat actors exploit exposed Docker Engine APIs to gain initial access, deploying cryptocurrency miners on compromised containers. They then execute additional malicious payloads to facilitate lateral movement to other hosts running Docker, Kubernetes, or SSH services.
Notably, hardcoded file system paths in the payloads suggest that the attackers may be targeting compute infrastructure used for GitHub Codespaces.