Cloud Security, Security Architecture

LemonDuck bot targets Docker cloud instances to mine cryptocurrency on Linux systems

A Bitcoin logo is seen during the Bitcoin 2022 Conference at Miami Beach Convention Center on April 8, 2022, in Miami. (Photo by Marco Bello/Getty Images)

Researchers on Thursday found the well-known cryptomining bot LemonDuck targeting Docker cloud instances to mine cryptocurrency on Linux platforms.

In a blog post, the CrowdStrike Cloud Threat Research team said the LemonDuck botnet tried to monetize its efforts via simultaneous campaigns to mine cryptocurrency like Monero.

The researchers say because Docker primarily gets used to run container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Then, an attacker can exploit this API to run a cryptocurrency miner inside an attacker-controlled container. 

As cloud adoption increases across multiple industries the use of attacks similar to this will continue to expand, said Dave Cundiff, CISO at Cyvatar. Cundiff said Docker and other tools of its kind are extremely beneficial in improving day-to-day workflow for organizations to meet the growing needs of their customers. However, Cundiff said administrators sometimes miscalculate the need for security within containerized environments. 

“Containers provide for the ability to better secure environments, but some simple misconfigurations could allow for these types of attacks,” Cundiff said. “As shown in the CrowdStrike report, an incorrectly exposed API to the internet allows the attackers to take advantage of the target infrastructure and then pivot internally to other containers. Good hygiene of your environments is always the best first step to protect environments.”

While Docker provides a high degree of programmability, flexibility and automation it has an unintended side effect of increasing the attack surface, said Ratan Tipirneni, president and CEO at Tigera. Tipirneni said it’s especially true as container technologies get adopted more broadly by the mainstream market.

“This creates a soft target for adversaries to compromise Docker since it unlocks a lot of compute power for cryptomining,” Tipirneni said. "Given the high degree of programmability, flexibility and automation in cloud infrastructure, an attacker can use Docker instances as the initial point of entry and then have the ability to move laterally to the entire cloud infrastructure.”

John Bambenek, principal threat hunter at Netenrich, said Docker and other automated systems are idea for cryptocurrency as they are unprotected and viewed as not overly essential. As long as the Docker instance isn’t processing critical data, it’s often viewed as an unimportant DevOps tools, so it becomes low-hanging fruit, Bambenek explained.

"Ultimately, organizations need to control their DevOps resources and manage their cloud spend," Bambenek said. "The management doesn’t have to be strict. Cloud companies should disable cryptocurrency mining generally. I can’t think of a single enterprise that has a business need to mine Monero in a Docker job. It’s not exactly profitable.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.