Docker API servers being hit to spread cryptomining malware

Hackers are targeting vulnerable Docker remote API servers, and using them to mine cryptocurrencies on the underlying hardware, experts have warned.

Cybersecurity researchers from Trend Micro stated the crooks took an “unconventional approach” with this attack, noting, “the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host.”

“The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities.”

Which tokens are they mining?

The experts explained that the crooks would first seek out public-facing Docker API hosts where HTTP/2 protocol can be upgraded. Then, they would send out a request to upgrade to the h2c protocol which, after conclusion, allows them to create a container. That container is ultimately used to mine cryptocurrencies for the attackers, via the SRBMiner payload, hosted on GitHub.

The researchers added the crooks used SRBMiner to mine the XRP token, native to the Ripple blockchain built by the company of the same name. However, XRP is a minted token that cannot be mined. We asked Trend Micro for clarification.

SRBMiner uses algorithms like RandomX, KawPow for mining. It can generate a number of different tokens for its operators, but not XRP. Among the available tokens are Monero, Ravencoin, Haven Protocol, Wownero, and Firo.

It’s safe to assume that the crooks were actually mining Monero, one of the most popular tokens among cybercriminals, given its advanced privacy and anonymity features. Monero is also commonly mined via the XMRig cryptojacker, and its ticker is XRM, quite close to XRP.

Trend Micro warned all users to secure their Docker remote API servers by implementing stronger access controls and authentication mechanisms, thus barring access to unauthenticated individuals. Furthermore, users are advised to monitor the servers for unusual activities, and implement best practices for container security.

Via The Hacker News

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/052f61d8d87502c81f4ed4a843828665-1200-80.jpg

Source link

Here are the OpenClaw security risks you should know about

The Oppo Find X9 Ultra could be the world’s best camera phone — and it’s launching globally this month

Why volumetric video works for the Olympics – but not yet for cinema

Why you shouldn’t ask ChatGPT for relationship advice — it’ll just tell you you’re right and ‘may worsen rather than resolve conflict’

Ex-Israeli Intelligence Official: Shockwaves of Trump’s “Take Over Gaza” Heard, Felt Across Region

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

Netflix New Releases: April 2026

Channel 4 Acquires ‘The Copenhagen Test’ for U.K.

Two and a Half Men Cast, Charlie Sheen, Angus T. Jones: Where Are They Now?

Ask Lisi: Celebrity podcasts get failing grade

Delta CEO Ed Bastian’s turnaround playbook—from bankruptcy to most profitable U.S. airline

Cal-Maine Foods beats profit forecasts despite revenue miss, shares rise 4%

Trump has no good options in Iran—here are 5 of them ahead of his speech to the nation tonight

Form 13D/A Real Messenger Corporation For: 1 April

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

Docker API servers being hit to spread cryptomining malware

Delta CEO Ed Bastian’s turnaround playbook—from bankruptcy to most profitable U.S. airline

Here are the OpenClaw security risks you should know about

Netflix New Releases: April 2026

Cal-Maine Foods beats profit forecasts despite revenue miss, shares rise 4%