Summary:
Security researchers at Akamai have uncovered a new malware campaign that specifically targets exposed Docker Engine APIs. Attackers are using automated scanning to find publicly accessible instances and then deploy malicious containers designed for cryptomining and persistence. The malware not only hijacks system resources but also modifies configurations and deploys additional payloads to maintain long-term access. By exploiting misconfigured or unsecured Docker environments, threat actors are expanding their infrastructure for large-scale malicious operations.

Security Officer Comments:
This trend highlights the growing danger of insecure container environments, particularly Docker. The company is prone to ignoring proper API security, and services are exposed on the internet for automated tools to detect and exploit them. This campaign highlights how attackers continually transition towards cloud-native environments as they provide scalability and compute resources ideal for cryptomining. It also highlights the importance of maintaining a solid container security posture as well as bi-weekly auditing of cloud assets.

Suggested Corrections:

• Restrict access to Docker Engine APIs by disabling unauthenticated remote connections.
• Use firewall rules, network segmentation, or VPNs to limit exposure to trusted IP ranges.
• Regularly update Docker and container images to reduce the risk of known vulnerabilities.
• Monitor for unusual resource usage and container activity that may indicate compromise.
• Adopt a least-privilege approach for container permissions and runtime capabilities.

Link(s):
https://www.akamai.com/blog/security-research/new-malware-targeting-docker-apis-akamai-hunt

https://www.trendmicro.com/en_fi/research/25/f/tor-enabled-docker-exploit.html