A new cryptojacking campaign has been discovered targeting vulnerable Docker and Kubernetes infrastructure.
Dubbed ‘Kiss-a-dog’ by CrowdStrike security researchers, the campaign has used several command-and-control (C2) servers to launch attacks aiming at mining cryptocurrency.
The threat actors have also utilized user and kernel mode rootkits to hide the activity, backdoor compromised containers, move laterally in the network and gain persistence.
“CrowdStrike has previously uncovered campaigns targeting vulnerable cloud infrastructure by cryptojacking botnets/groups like LemonDuck and Watchdog,” reads an advisory published by the team on Wednesday.
“Kiss-a-dog relies on tools and techniques previously associated with cryptojacking groups like TeamTNT, which targeted vulnerable Docker and Kubernetes infrastructure.”
According to the security experts, the crypto crash in mid-2022 caused several threat groups to diminish their activity targeting digital currencies in containerized environments. The trend would now be changing upward alongside the value of cryptocurrencies.
“In September 2022, one of CrowdStrike’s honeypots spotted a number of campaigns enumerating vulnerable container attack surfaces like Docker and Kubernetes,” the company wrote.
“The Kiss-a-dog campaign uses a host mount to escape from the container. The technique itself is not new and seems to be common among crypto miners as an attempt to break out of containers,” CrowdStrike explained.
“This is attributed to a lack of innovation by attackers and at the same time speaks to the vast and easy Docker attack surface exposed and available on the internet.”
The cybersecurity company has also said that these campaigns by cryptojacking groups could last from days to months, depending on the success rate of the attacks.
“As cryptocurrency prices have dropped, these campaigns have been muffled in the past couple of months until multiple campaigns were launched in October to take advantage of a low competitive environment,” warned CrowdStrike.
“Cloud security practitioners need to be aware of such campaigns and make sure that their cloud infrastructure doesn’t fall prey.”
For more information about how to secure Kubernetes environments, you can read this recent analysis by James Brown, senior vice president of customer success at Lacework.