Cyber Security

Hackers Focusing on WebLogic Servers and Docker APIs for Mining Cryptocurrencies

Malicious actors resembling Kinsing are making the most of each lately disclosed and older safety flaws in Oracle WebLogic Server to ship cryptocurrency-mining malware.

Cybersecurity firm Pattern Micro stated it discovered the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable working system (OS) security measures resembling Safety-Enhanced Linux (SELinux), and others.

The operators behind the Kinsing malware have a historical past of scanning for susceptible servers to co-opt them right into a botnet, together with that of Redis, SaltStack, Log4Shell, Spring4Shell, and the Atlassian Confluence flaw (CVE-2022-26134).


The Kinsing actors have additionally been concerned in campaigns in opposition to container environments through misconfigured open Docker Daemon API ports to launch a crypto miner and subsequently unfold the malware to different containers and hosts.

The newest wave of assaults entails the actor weaponizing CVE-2020-14882 (CVSS rating: 9.8), a two-year-old distant code execution (RCE) bug, in opposition to unpatched servers to grab management of the server and drop malicious payloads.

It is value noting that the vulnerability has been exploited up to now by a number of botnets to distribute Monero miners and the Tsunami backdoor on contaminated Linux methods.

Profitable exploitation of the flaw was succeeded by the deployment of a shell script that is chargeable for a collection of actions: Eradicating the /var/log/syslog system log, turning off security measures and cloud service brokers from Alibaba and Tencent, and killing competing miner processes.

The shell script then proceeds to obtain the Kinsing malware from a distant server, whereas additionally taking steps to make sure persistence via cron job.

“The profitable exploitation of this vulnerability can result in RCE, which may enable attackers to carry out a plethora of malicious actions on affected methods,” Pattern Micro stated. “This will vary from malware execution […] to theft of essential knowledge, and even full management of a compromised machine.”

TeamTNT actors make a comeback with the Kangaroo Assault

The event comes as researchers from Aqua Safety recognized three new assaults linked to a different “vibrant” cryptojacking group known as TeamTNT, which voluntarily shut store in November 2021.

“TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container picture, with a command line to obtain a shell script ( to a C2 server,” Aqua Safety researcher Assaf Morag stated.

What’s notable concerning the assault chain is that it seems to be designed to interrupt SECP256K1 encryption, which, if profitable, may give the actor the flexibility to calculate the keys to any cryptocurrency pockets. Put otherwise, the concept is to leverage the excessive however unlawful computational energy of its targets to run the ECDLP solver and get the important thing.


Two different assaults mounted by the group entail the exploitation of uncovered Redis servers and misconfigured Docker APIs to deploy coin miners and Tsunami binaries.

TeamTNT’s concentrating on of Docker REST APIs has been well-documented over the previous yr. However in an operational safety blunder noticed by Pattern Micro, credentials related to two of the attacker-controlled DockerHub accounts have been uncovered.

The accounts – alpineos and sandeep078 – are stated to have been used to distribute a wide range of malicious payloads like rootkits, Kubernetes exploit kits, credential stealers, XMRig Monero miners, and even the Kinsing malware.

“The account alpineos was utilized in exploitation makes an attempt on our honeypots 3 times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany,” Pattern Micro’s Nitesh Surana stated.

“The risk actors have been logged in to their accounts on the DockerHub registry and doubtless forgot to sign off.” Alternatively, “the risk actors logged in to their DockerHub account utilizing the credentials of alpineos.”

Pattern Micro stated the malicious alpineos picture had been downloaded greater than 150,000 occasions, including it notified Docker about these accounts.

It is also recommending organizations to configure the uncovered REST API with TLS to mitigate adversary-in-the-middle (AiTM) assaults, in addition to use credential shops and helpers to host person credentials.

What's your reaction?

Leave A Reply

Your email address will not be published.