A recent cryptojacking campaign has been uncovered, targeting vulnerable Docker and Kubernetes infrastructure. Referred to as ‘Kiss-a-dog’ by security researchers at CrowdStrike, this campaign has been utilizing multiple command-and-control (C2) servers to carry out attacks with the goal of mining cryptocurrency.
In addition to using user and kernel mode rootkits to conceal their activities, the threat actors behind the Kiss-a-dog campaign have been backdooring compromised containers, moving laterally within networks, and establishing persistence. CrowdStrike has linked this campaign to cryptojacking groups like TeamTNT, known for targeting Docker and Kubernetes environments.
The decline in cryptocurrency prices in mid-2022 led to a reduction in activity by threat groups targeting digital currencies in containerized environments. However, with the recent increase in cryptocurrency values, these campaigns are expected to rise once again. CrowdStrike’s honeypots detected numerous campaigns in September 2022 focusing on exploiting vulnerabilities in Docker and Kubernetes.
One of the techniques observed in the Kiss-a-dog campaign involves using a host mount to break out of containers, a common tactic among crypto miners. According to CrowdStrike, attackers are taking advantage of the wide and easily accessible Docker attack surface on the internet.
These cryptojacking campaigns can persist for days to months, depending on the success rate of the attacks. As cryptocurrency prices fluctuate, there has been a resurgence in these campaigns aiming to capitalize on the current market conditions. Cloud security professionals are advised to remain vigilant and ensure the security of their cloud infrastructure.
For further insights on securing Kubernetes environments, readers can refer to a recent analysis by James Brown, senior vice president of customer success at Lacework. Stay informed and proactive to protect against cryptojacking threats targeting Docker and Kubernetes infrastructure.