Type
Campaign
Actors
WatchDog
Pub. date
September 1, 2022
Initial access
Impact
Resource hijacking
Observed techniques
Exploiting host mount to escape to hostAbusing exposed Docker socketRedis-as-a-backdoorCloud compute cryptojackingPhishing
Targeted technologies
KubernetesRedisDocker
References
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.html https://twitter.com/techyteachme/status/1621688055584231424https://www.antiy.cn/research/notice&report/research_report/WatchDogTrojans_Analysis.html
Status
Finalized
Last edited
Jun 2, 2024 11:56 AM
CrowdStrike uncovered a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog”-themed mining pool domains.
Nicknamed “Kiss-a-dog,” the campaign used multiple command-and-control (C2) servers to launch attacks that attempted to mine cryptocurrency, utilize user and kernel mode rootkits to hide the activity, backdoor compromised containers, move laterally in the network and gain persistence.
The attackers gained initial access through an exposed Docker socket, then used a container escape and deployed a cryptominer on the infected workload. Finally, they used a Redis service for persistence.