Cryptomining Attack Exploits Docker API Misconfiguration Since 2019
A campaign dubbed “Autom” that exploits misconfigured Docker APIs to gain network entry and construct backdoors on compromised hosts has been discovered by cybersecurity researchers. The campaign ultimately seeks to mine cryptocurrency on compromised devices. The cryptomining campaign has been active since 2019, however, it has gone unnoticed by cybersecurity forces. The attack technique exploits the file “autom.sh” to accomplish its goals. Attackers have abused the API misconfiguration during the campaign’s active period, however, the evasion tactics have varied. Therefore, some adversaries and campaigns have gone undetected.
Aquasec’s research arm Team Nautilus released a report on Wednesday detailing the campaign. Attacks hit honeypots erected by Team Nautilus 84 times since 20199, with 22 of these attacks occurring in 2019, 58 in 2020, and four in 2021. Researchers also reported that although attacks on honeypots decreased significantly in 2021, the overall targeting of poorly configured Docker APIs did not. Many of the attackers who targeted the honeypots used the same entry point ad tactics, however, threat actors have evolved more evasive maneuvers over the past few years that aid them in avoiding detection.