About 400 servers running virtualization software Docker were found to be vulnerable to outside exploitation. Most of them were seemingly running Monero (XMR) mining software, cybersecurity company Imperva reports on March 4.
A misconfiguration of the vulnerable Docker hosts permits public access to the Docker API, which should only be locally accessible. This misconfiguration, combined with a newly discovered vulnerability, allows attackers to obtain administrator rights on the server and install software of their choice.
Since a hacker could install any software this way, the vulnerability doesn't only permit cryptojacking, but also the installation of any other malware or use of the hosts to carry out any kind of attacks. Researchers at Imperva claim to have found 3,822 misconfigured hosts (with the API exposed), of which about 400 were actually accessible. The report notes:
“We found that most of the [400] exposed Docker remote API IPs are running a cryptocurrency miner for a currency called Monero.”
Lastly, the data on the server is also accessible to the hacker, including the database and some unencrypted credentials, including passwords, Imperva notes.
As Cointelegraph reported in mid-February, United States-based software corporation Microsoft has removed eight Windows 10 applications from its official app store after cybersecurity firm Symantec identified the presence of surreptitious Monero mining code.
Also in February, Cointelegraph wrote that cryptocurrency mining malware continues to target major corporations, hijacking victims to mine altcoin Monero.
While cryptojaking is seemingly widely used as a way to earn money among cybercriminals, legitimate cryptocurrency mining service Coinhive, which specifically mines Monero, has shut down at the end of February, as the project has reportedly become economically inviable.