LemonDuck bot targets Docker cloud instances to mine cryptocurrency on Linux systems

The LemonDuck cryptomining bot targets cloud Docker instances on platforms using Linux, researchers have reported. Pictured: A Bitcoin logo is seen during the Bitcoin 2022 conference at the Miami Beach Convention Center on April 8, 2022 in Miami. (Photo by Marco Bello/Getty Images)

Researchers on Thursday discovered the notorious LemonDuck cryptomining bot targeting Docker cloud instances to mine cryptocurrency on Linux platforms.

In a blog post, the CrowdStrike Cloud Threat Research team said the LemonDuck botnet attempted to monetize its efforts through concurrent campaigns to mine cryptocurrency like Monero.

Researchers claim that Docker primarily gets used to running container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then an attacker can leverage this API to run a cryptocurrency miner inside an attacker-controlled container.

As cloud adoption increases across multiple industries, the use of attacks similar to this will continue to grow, said Dave Cundiff, CISO at Cyvatar. Cundiff said that Docker and other such tools are extremely beneficial in improving the day-to-day workflow of organizations to meet the growing needs of their customers. However, Cundiff said administrators sometimes miscalculate the need for security in containerized environments.

“Containers make environments more secure, but some simple misconfigurations could enable these types of attacks,” Cundiff said. “As the CrowdStrike report shows, a poorly exposed API to the internet allows attackers to take advantage of the target infrastructure and then pivot internally to other containers. protect environments.

Although Docker offers a high degree of programmability, flexibility and automation, it has the unintended side effect of increasing the attack surface, said Ratan Tipirneni, president and CEO of Tigera. Tipirneni said this is especially true as container technologies are adopted more widely by the mainstream market.

“This creates an easy target for adversaries who compromise Docker, as it frees up a lot of computing power for cryptomining,” Tipirneni said. “Given the high degree of programmability, flexibility, and automation of cloud infrastructure, an attacker can use Docker instances as an initial entry point and then have the ability to move laterally to the entire cloud infrastructure.”

John Bambenek, principal threat hunter at Netenrich, said Docker and other automated systems are an idea for cryptocurrency because they are unprotected and considered not too essential. As long as the Docker instance isn’t dealing with critical data, it’s often seen as an unimportant DevOps tool, so it becomes a low hanging fruit, Bambenek explained.

“Ultimately, organizations need to control their DevOps resources and manage their cloud spend,” Bambenek said. “Management doesn’t need to be strict. Cloud companies should disable cryptocurrency mining in general. I can’t think of a single company that has a business need to mine Monero in a work Docker. It’s not exactly profitable.”


Comments are closed.