CrowdStrike Details LemonDuck Cryptojacking Container Attack Campaign

CrowdStrike has published an alert detailing an active campaign that uses compromised containers to mine for cryptocurrency on Linux platforms launched via a botnet known as LemonDuck.

LemonDuck is a cryptomining botnet that previously was seen targeting Microsoft Exchange servers via the ProxyLogon vulnerability that enables it to use malware such as EternalBlue and BlueKeep to mine cryptocurrency, escalate privileges and move laterally across networks.

Specifically, it runs a malicious container on an exposed Docker API by using a custom Docker ENTRYPOINT to download a core.png image file that is disguised as a Bash script. The file “core.png” was downloaded from a domain t.m7n0y[.]com, which is associated with LemonDuck. The domain has a self-signed certificate installed that was generated in May 2021 with an expiration date set for May 2022. The unique certificate signatures lead to other domains that are actively used by this threat actor and that might be the command-and-control mechanism used to manage the overall campaign.

In some instances, the cryptomining malware can even disable some cloud defenses. For example, an agent-based Alibaba service for monitoring cloud or container instances for malicious activities can be disabled to avoid detection.

Cybercriminals are exploiting misconfigured Docker application programming interfaces (APIs) to run a cryptocurrency miner inside a container. Cybercriminals, however, can also escape a running container by abusing privileges and misconfigurations in addition to exploiting multiple vulnerabilities found in the container runtimes.

Scott Fanning, senior director of product management for cloud security at CrowdStrike, says that while cryptojacking, in general, is still perceived to be a victimless crime, it’s apparent cybercriminals have found ways to compromise containers. It’s only a matter of time before those same tactics are employed to double-dip into a compromised IT environment to launch a more severe attack, he notes. It’s also not uncommon for cybercriminals to sell access to compromised IT environments to larger cybercriminal cartels, adds Fanning. It’s important to remember that good fences, as always, make for good neighbors, he says.

In general, cybercriminals are also looking to compromise stateful cloud-native microservices built using containers because they are often being used to drive digital business transformation initiatives involving sensitive data. As such, container security is starting to become a much larger aspect of maintaining the integrity of a software supply chain.

There’s clearly still work to be done when it comes to container security. Far too many developers, for example, assume that because a container only runs for a few seconds, a cybercriminal will not have the time to discover and exploit it. Cybercriminals, however, are now continuously scanning for container vulnerabilities within software supply chains. In fact, it only takes a few seconds for many cybercriminals to insert malware into an IT environment once they discover a vulnerability.

One way or another, container security will eventually improve. The issue is whether it will occur proactively or in the wake of an inevitable breach that might compromise an entire enterprise IT environment.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1389 posts and counting. See all posts by Mike Vizard