BleepingComputer reports that LemonDuck botnet operators have launched an ongoing widespread cryptomining campaign targeted at Docker APIs on Linux servers.
CrowdStrike researchers have discovered that after accessing exposed Docker APIs, LemonDuck has been executing a malicious container to facilitate PNG image-spoofing Bash script retrieval. The Bash file was then observed to kill cryptocurrency mining-related processes, daemons, and network connections to other cryptomining groups' command-and-control servers, as well as erase known indicator of compromise file paths, and deactivate the tracking service of Alibaba Cloud. Execution of the XMRig cryptomining utility and a configuration file concealing the wallets of the attacker then follow, according to the report. Moreover, filesystem-based SSH keys are being leveraged by LemonDuck to move laterally across impacted networks. A separate report from Cisco Talos has noted that exposed AWS Docker API instances are also being attacked by the TeamTNT threat group, which has also been mining cryptocurrency while preventing detection by deactivating cloud security systems.
Vulnerable Apache NiFi implementations are being targeted in new attacks deploying the Kinsing cryptomining malware, as indicated by the significant increase in HTTP requests for "/nifi" on May 19, according to The Hacker News.
Numerous fraudulent websites masquerading as legitimate software, including ChatGPT, Gimp, AstraChat, and Go To Meeting, have been used in a new RomCom malware campaign by Cuba ransomware affiliate Void Rabisu, also known as Tropical Scorpius, from December 2022 to April 2023, which was mostly targeted at Eastern Europe, according to BleepingComputer.
Scandinavian Airlines has been demanded to pay $3 million by the Anonymous Sudan threat operation to put an end to distributed denial-of-service attacks against the airline's websites that began in February, reports The Record, a news site by cybersecurity firm Recorded Future.