Some 2,000 Docker hosts have been attacked and infected by a relatively basic worm that exploits misconfigured permissions to download and run cryptojacking software as malicious containers.
Network security firm Palo Alto Networks in a report today said that despite its “inept” programming, the so-called Graboid worm has been successful: it searches for unsecured docker daemons, uses the access to the Docker host to install malicious images from the Docker Hub, and then runs scripts downloaded from a command-and-control (C2) server.
Among the scripts are a cryptomining program that “mines” — or attempts to generate — the Monero cryptocurrency. Each miner is active about 63% of the time, according to Palo Alto.
Read more: Dark Reading