How Docker Containers Make Life Easy for Bitcoin-Mining Attackers

Crypto-mining script kiddies are coming to steal your Docker environment. That’s the warning from Aqua Security, which has published a report about attacks against containerized environments by people who want to mine cryptocurrency such as bitcoin.

The report, which was published Feb. 15, details how security researchers at Aqua set up a honeypot Docker environment to lure in an attacker. The intruder attempted to launch containers for mining Monero, a cryptocurrency.

The researchers’ main goal was to demonstrate how pre-production Docker environments tend to be poorly secured and may contain security vulnerabilities that attackers can exploit.

Cryptocurrency Mining and Docker Security

The more interesting part of the story, however, is that it highlights how easy containers make it to take over someone else’s computing resources and use them for compute-intensive tasks, such as cryptocurrency mining.

Stealing infrastructure rather than data is a different sort of attack from the ones we’re used to reading about. Digital data heists tend to make bigger headlines, but the theft of compute resources can be just as profitable for attackers who use the resources to mine cryptocurrency.

That is because the amount of computing power required to mine cryptocurrency is enormous. Measured in terms of electricity costs, a single Bitcoin requires several thousand dollars worth of energy to create, for example. It also ties up a lot of computing power. If you can create bitcoin or another crypotcurrency using someone else’s computers and infrastructure, your mining operation is much more profitable than it would be if you had to pay for that overhead yourself.

The attractiveness of stealing computing resources for cryptocurrency mining is only likely to grow. Mining costs generally increase over time because most cryptocurrencies are designed in a way that makes mining more difficult as more coins come into existence.

In the attack Aqua described, the attackers deployed containers to mine Monero, a cryptocurrency that is somewhat easier to mine than Bitcoin. But the attackers’ goals and the harm to victims is the same, no matter which type of digital currency is being mined.

Docker’s Flip Side: Rapid Deployment of Malicious Code

Containers make these attacks easy to execute because containerized applications for performing mining operations can be spun up quickly by an attacker who manages to take control of a Docker environment.

This is flip side of Docker: Just as containers make it easy to deploy an application quickly for legitimate users, they also enable rapid deployment of malicious code by attackers.

It’s worth noting, too, that no matter how well you secure your data, you could still be vulnerable to containerized attacks that take over your infrastructure. This is important to keep in mind because data security tends to be the top priority today, with engineers affording much less attention to protecting infrastructure itself.

Infrastructure theft can be quite costly, too, especially if attackers use your infrastructure to mine cryptocurrency. The resulting energy costs and strain on system resources are likely to prove much greater than they’d be in other types of attacks against infrastructure, where the intruders are interested only in using your server to host rogue websites or data. The latter attacks have a cost, too, but in most cases it is much lighter than the costs of unauthorized cryptocurrency mining.

The easy solution for preventing these types of attacks is to make sure you don’t leave your Docker environments exposed to the public internet. As the Aqua researchers noted, cryptocurrency mining attacks are popular among opportunistic “script-kiddies” who are not sophisticated cybercriminals but search out poorly secured environments that they can attack easily.

Still, the core security challenge for container admins remains: The convenience that Docker containers provide for legitimate users must be balanced with the ease that they afford malicious parties in executing attacks.

Christopher Tozzi

Christopher Tozzi

Christopher Tozzi has covered technology and business news for nearly a decade, specializing in open source, containers, big data, networking and security. He is currently Senior Editor and DevOps Analyst with and

Christopher Tozzi has 254 posts and counting. See all posts by Christopher Tozzi