Cybersecurity researchers have identified a persistent and ambitious campaign that targets thousands of Docker servers daily with a Bitcoin (BTC) miner.

In a report published on April 3, Aqua Security issued a threat alert over the attack, which has ostensibly “been going on for months, with thousands of attempts taking place nearly on a daily basis.” The researchers warn:

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date.”

Such scope and ambition indicate that the illicit Bitcoin mining campaign is unlikely to be “an improvised endeavor,” as the actors behind it must be relying on significant resources and infrastructure.

Kinsing malware attack volumes, Dec. 2019-March 2020. Source: Aqua Security blog

Using its virus analysis tools, Aqua Security has identified the malware as a Golang-based Linux agent, known as Kinsing. The malware propagates by exploiting misconfigurations in Docker API ports. It runs an Ubuntu container, which downloads Kinsing and then attempts to spread the malware to further containers and hosts.

The campaign’s end-goal — achieved by first exploiting the open port and then carrying through with a series of evasion tactics — is to deploy a crypto miner on the compromised host, the researchers say.

Infographic showing the full flow of a Kinsing attack. Source: Aqua Security blog

Security teams need to up their game, says Aqua

Aqua’s study provides detailed insight into the components of the malware campaign, which stands out as a forceful example of what the firm claims is “the growing threat to cloud native environments.”

Attackers are upping their game to mount ever more sophisticated and ambitious attacks, the researchers note. In response, enterprise security teams need to develop a more robust strategy to mitigate these new risks.

Among their recommendations, Aqua proposes that teams identify all cloud resources and group them in a logical structure, review their authorization and authentication policies, and adjust basic security policies according to a principle of “least privilege.”

Teams should also investigate logs to locate user actions that register as anomalies, as well as implement cloud security tools to strengthen their strategy.

Growing awareness

Last month, Singapore-based unicorn startup Acronis published the results of its latest cybersecurity survey. It revealed that 86% of IT professionals are concerned about cryptojacking — the industry term for the practice of using a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.