LemonDuck botnet plunders Docker cloud instances in cryptocurrency crime wave
According to Microsoft’s security team, the operators of LemonDuck botnet are targeting systems in a mining campaign. Security researchers state that the malware exploits older vulnerabilities, most of which have already had patches released, to infiltrate cloud systems and servers. This includes EternalBlue, BlueKeep, and Microsoft Exchange ProxyLogon bugs. The threat actors behind the malware are targeting Docker instances to conduct the campaign, but its operators have been known to be selective when it comes to the timing of an attack. For example, they may strike when teams are focused on patching a vulnerability rather than investigating a potential compromise, buying the attackers some time.
LemonDuck started out solely targeting Windows machines, but has recently expanded its capabilities to include Linux and Docker. The ongoing campaign features the attackers targeting mainly Docker APIs to obtain initial access to cloud instances. LemonDuck leverages misconfigurations that cause API exposure to perform malicious actions such as deploying exploit kits and malware.