Exposed Docker APIs Likely Exploited to Build Botnet

Threat actors are exploiting exposed Docker APIs to deploy malware and cryptocurrency miners and potentially create a new botnet, Akamai’s security researchers warn.

Initially detailed by Trend Micro in June, the attacks start with a request to the exposed API to retrieve a list of containers, followed by the creation of a new container based on the Alpine Docker image.

Next, the attackers mount the host root to the fresh container, a technique that allows them to manipulate the host system and escape the container.

Hidden in the initial command is an encoded payload that leads to the execution of a shell script that sets up the Tor browser in the container and fetches a payload over the Tor network. They also set up a socks5h proxy configuration to route all traffic and DNS resolution through the anonymity network.

Once the container is started, the attackers deploy a malicious ...