WebLogic servers, Docker API targeted in new cryptomining attacks

Threat actors have been targeting Oracle WebLogic Servers and Docker APIs to facilitate cryptomining malware deployment, according to The Hacker News. Kinsing malware operators have been exploiting new and old WebLogic flaws to deactivate security features baked in the operating system, a report from Trend Micro revealed. Vulnerable WebLogic servers have been compromised through attacks leveraging a remote code execution bug, tracked as CVE-2020-14882, which has been previously exploited for Monero miner and Tsunami backdoor deployment. "The successful exploitation of this vulnerability can lead to RCE, which can allow attackers to perform a plethora of malicious activities on affected systems. This can range from malware execution [...] to theft of critical data, and even complete control of a compromised machine," said Trend Micro. Meanwhile, a separate report from Aqua Security shed light on three new attacks from the TeamTNT cryptojacking group, which ended operations last November. "TeamTNT has been scanning for a misconfigured Docker Daemon and deploying alpine, a vanilla container image, with a command line to download a shell script (k.sh) to a C2 server," said Aqua Security researcher Assaf Morag, who added that the new attacks sought to break SECP256K1 encryption to compromise cryptocurrency wallets.