BleepingComputer reports that LemonDuck botnet operators have launched an ongoing widespread cryptomining campaign targeted at Docker APIs on Linux servers.
CrowdStrike researchers have discovered that after accessing exposed Docker APIs, LemonDuck has been executing a malicious container to facilitate PNG image-spoofing Bash script retrieval. The Bash file was then observed to kill cryptocurrency mining-related processes, daemons, and network connections to other cryptomining groups' command-and-control servers, as well as erase known indicator of compromise file paths, and deactivate the tracking service of Alibaba Cloud. Execution of the XMRig cryptomining utility and a configuration file concealing the wallets of the attacker then follow, according to the report. Moreover, filesystem-based SSH keys are being leveraged by LemonDuck to move laterally across impacted networks. A separate report from Cisco Talos has noted that exposed AWS Docker API instances are also being attacked by the TeamTNT threat group, which has also been mining cryptocurrency while preventing detection by deactivating cloud security systems.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.