"Researchers Uncover Cryptojacking Campaign Targeting Docker, Kubernetes Cloud Servers"
CrowdStrike researchers have discovered a new hacking campaign that targets cloud infrastructure worldwide in the service of a cryptojacking scheme. The "Kiss-A-Dog" campaign has been active since at least September, when a CrowdStrike honeypot detected signs of attacks targeting vulnerable Docker and Kubernetes instances. The campaign was named after the domain name used by attackers to retrieve the Python-coded malware payload: kiss[.]a-dog[.]top. It uses multiple command-and-control (C2) servers to escape containerized environments and gain root privilege. It uses kernel and user rootkits for obfuscation, backdoor creation, lateral movement, and persistence. The attackers are also able to detect and uninstall third-party cloud monitoring services. Once inside a compromised container, the threat actors attempt to assemble network scanning tools to look for additional cloud servers running Docker and Kubernetes. According to Shodan, over 68,000 vulnerable Kubernetes instances (16,915 in the US) and 13,000 Docker instances (2,320 in the US) are exposed to the Internet globally. The ultimate goal, according to researchers, was to use victims' computing power to install XMRig and mine cryptocurrency. While these attacks had been taking place for some time before they were discovered by CrowdStrike, the summer crash in the cryptocurrency market likely "muffled" their visibility and impact at first. Cryptojacking groups' campaigns can last anywhere from days to several months, according to Manoj Ahuje, senior threat researcher for cloud security. As cryptocurrency prices fell, these campaigns became muffled in recent months, until multiple campaigns were launched in October to capitalize on a low competitive environment. This article continues to discuss findings surrounding the Kiss-A-Dog cryptojacking campaign targeting Docker and Kubernetes cloud servers.