A fresh Linux backdoor called Doki is infesting Docker servers in the cloud, researchers warn, employing a brand-new technique: Using a blockchain wallet for generating command-and-control (C2) domain names. Doki however is meant to provide a persistent capability for code-execution on an infected host, setting the scene for any number of malware-based attacks, from denial-of-service/sabotage to information exfiltration to ransomware, according to Intezer. The campaign starts with an increasingly common attack vector: The compromise of misconfigured Docker API ports. Attackers scan for publicly accessible, open Docker servers in an automated fashion, and then exploit them in order to set up their own containers and execute malware on the victim’s infrastructure. Usually that malware is a cryptominer of some kind, as seen in April in a Bitcoin-mining campaign using the Kinsing malware — but Doki represents an evolution in payload. The Doki attackers are using an existing Ngrok-based botnet to spread the backdoor, via a network scanner that targets hardcoded ranges of IP addresses for cloud providers, such as Amazon Web Services and local cloud providers in Austria, China and the United Kingdom. Ngrok is a legitimate reverse proxy service that cybercriminals have been using for C2 communications with infected bot endpoints. The scanner looks for potentially vulnerable targets, gathers relevant information and uploads it to a Ngrok URL controlled by the attackers. The…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-07-30 13:00:002020-07-30 13:00:00Doki Backdoor Infiltrates Docker Servers in the Cloud
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com