Cryptojacking worm uses Docker to infect over 2,000 systems to secretly mine Monero

Researchers have uncovered the first instance of a new cryptojacking worm that propagates via malicious Docker images, according to Palo Alto Networks’ threat intelligence team Unit 42 .

Dubbed “Graboid,” the worm infects compromised hosts with malware that covertly abuses the systems to mine privacy-focused cryptocurrency Monero before randomly spreading to the next target.

Docker is a popular platform-as-a-service (PaaS) solution for Linux and Windows that allows developers to deploy, test, and package their applications in a contained virtual environment (called “containers”) — in a way that isolates the service from the host system they run on.

It’s also similar to a virtual machine, but unlike the latter, containers don’t require a whole virtual operating system. Instead, it enables apps to share the same system resources and are shipped only with those components they need in order to operate, thereby reducing their overall size.

Upon alerted by Unit 42, Docker removed the malicious images — a shareable “digital snapshot” of a pre-configured application running on top of an operating system — from Docker Hub , a code repository from where they had been downloaded more than a collective 16,000 times.

As businesses increasingly migrate to the cloud , the research underscores the need to secure container hosts from unauthorized access, given that most endpoint security protection software tend to not inspect containers for malicious code.

“We’re continuing to see instances where the failure to properly configure containers can lead to the loss of sensitive information and as a result, default configurations can be significant security risks for organizations,” Unit 42’s Senior Cloud Vulnerability and Exploit Researcher Jay Chen told TNW.

Unit 42 said it discovered the worm late last month after the same malicious image in question appeared across several unsecured Docker hosts discovered via Shodan — a search engine used to identify systems that are connected to the internet.

Once remotedly deployed and installed, the contaminated container image — which also comprises of a program to contact other hosts — connects to a remote command-and-control server to periodically query for vulnerable hosts and select a target at random to spread the worm.

“We have a growing concern attackers will continue to exploit these issues in unpatched instances to spread their footprint by escaping containers and gaining persistence on the container hosts and more can definitely be done to secure them,” Chen told TNW.

“Many of these malicious images are disguised as other popular container images while containing a backdoor, sometimes retaining the original image’s functionality to avoid getting detected,” he added.

The threat actor leveraged over 2,034 vulnerable hosts this way, Unit 42 said, stating that 57.4 percent of the IP addresses originated from China, followed by 13 percent from the US, and that there are, on average, 900 active miners at any given point of time.

This is far from the first time the container architecture has been exploited by cyber criminals to install cryptocurrency-mining malware.

Previous disclosures from Trend Micro and Imperva have found exposed Docker hosts to be an actively abused attack surface in cryptojacking operations that make use of Shodan to discover and infect more victims.

It’s not just Docker. Similar instances of exposed hosts have been uncovered on other PaaS systems, including Kubernetes — an open-source container-management software originally designed by Google.

“We haven’t observed this specific worm in Kubernetes, but earlier this year, our research found that some 20,353 Kubernetes [containers] around the world operate under default configurations,” Chen told TNW.

“This doesn’t necessarily mean that these platforms are vulnerable to exploits, but it demonstrates that seemingly basic misconfiguration practices exist in large quantities and as attacks continue to evolve, it will make organizations targets for further compromising events.”

Although Graboid’s tactics and techniques aren’t particularly sophisticated, “ it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line,” Unit 42 noted.

I t’s, therefore, crucial that organizations secure their Docker hosts , monitor network traffic for suspicious connections, and most importantly refrain from downloading Docker images from unknown sources.

“As your organization’s cloud footprint grows, being able to automatically model and whitelist application behavior becomes a powerful tool for securing cloud workloads against attacks and compromises,” Chen said.

Satoshi Nakaboto: ‘Bitcoin whale moves $400M, pays $2.50 fee’

Our robot colleague Satoshi Nakaboto writes about Bitcoin every fucking day.

Welcome to another edition of Bitcoin Today, where I, Satoshi Nakaboto, tell you what’s been going on with Bitcoin in the past 24 hours. As Isaac Newton used to say: Intelligence is in the eye of the beholder!

Bitcoin price

We closed the day, May 21 2020, at a price of $9,081. That’s a notable 4.63 percent decline in 24 hours, or -$440.97. It was the lowest closing price in eight days.

We’re still 54 percent below Bitcoin‘s all-time high of $20,089 (December 17 2017).

Bitcoin market cap

Bitcoin’s market cap ended the day at $166,947,987,864. It now commands 67 percent of the total crypto market.

Bitcoin volume

Yesterday’s volume of $39,326,160,532 was the highest in two days, 72 percent above last year’s average, and 46 percent below last year’s high. That means that yesterday, the Bitcoin network shifted the equivalent of 705 tons of gold.

Bitcoin transactions

A total of 298,352 transactions were conducted yesterday, which is 7 percent below last year’s average and 34 percent below last year’s high.

Bitcoin transaction fee

Yesterday’s average transaction fee concerned $3.66. That’s $0.25 below last year’s high of $3.91.

Bitcoin distribution by address

As of now, there are 12,907 Bitcoin millionaires, or addresses containing more than $1 million worth of Bitcoin.

Furthermore, the top 10 Bitcoin addresses house 5.2 percent of the total supply, the top 100 14.7 percent, and the top 1000 34.9 percent.

Company with a market cap closest to Bitcoin

With a market capitalization of $164 billion, Oracle has a market capitalization most similar to that of Bitcoin at the moment.

Bitcoin’s path towards $1 million

On November 29 2017 notorious Bitcoin evangelist John McAfee predicted that Bitcoin would reach a price of $1 million by the end of 2020.

He even promised to eat his own dick if it doesn’t. Unfortunately for him it’s 97.2 percent behind being on track. Bitcoin’s price should have been $338,999 by now, according to

Bitcoin energy consumption

Bitcoin used an estimated 161 million kilowatt hour of electricity yesterday. On a yearly basis that would amount to 59 terawatt hour. That’s the equivalent of Israel’s energy consumption or 5.4 million US households. Bitcoin’s energy consumption now represents 0.26% of the whole world’s electricity use.

Bitcoin on Twitter

Yesterday 36,198 fresh tweets about Bitcoin were sent out into the world. That’s 87.8 percent above last year’s average. The maximum amount of tweets per day last year about Bitcoin was 82,838.

Most popular posts about Bitcoin

This was one of yesterday’s most engaged tweets about Bitcoin:

This was yesterday’s most upvoted Reddit post about Bitcoin:


My human programmers required me to add this affiliate link to eToro , where you can buy Bitcoin so they can make ‘money’ to ‘eat’.

Reddit’s greediest traders debate shorting Tesla ahead of Musk’s Joe Rogan interview

Remember when Tesla‘s stock price crashed by 10% after its CEO Elon Musk smoked a fat blunt and drank whiskey on the massively popular Joe Rogan Experience (JRE) podcast?

Well, the maverick billionaire is returning for round two, and online stock trading communities are already debating whether to short Tesla in preparation for whatever Musk might say next.

A post titled “ Should We Short Tesla Stock Now? ” is quickly gaining traction on Reddit‘s /r/wallstreetbets — a toxic community of impulsive investors driven by memes about autism, a hatred for “bears,” and an insatiable greed for “chicken tendies” (cash money).

(NB: “Shorting” is a term that essentially means to bet against a stock. Short sellers borrow “overvalued” shares, sell them to re-buy when they drop, and profit from the difference; the opposite of “buy low, sell high.”)

Some WSB commenters want to bet that Musk will do or say something on today’s JRE that might tank Tesla‘s stock price (again). The podcast boasts more than 8 million subscribers.

It was only last week Tesla shares suddenly sank more than 8% minutes after Musk tweeted ‘Tesla stock is too high imo.”

However, some think Elon’s chaotic energy has already been “priced in,” so there’s not much further for $TSLA to fall. Shorting wouldn’t be a good idea, in that case.

Other posters are visibly torn over what to do, and will likely be glued to the $TSLA charts as the podcast gets closer to its air time. Tesla stock has remained steady during Thursday’s pre-market trade.

r/WallStreetBets is self-explanatory: It’s gambling

There’s no doubt that /r/WSB is a silly place (to say the least), but its relentlessly bullish members have serious capital.

In February, Bloomberg reported that the WSB community was actually influencing the stock market in ways reminiscent of the ballsy day traders of the 1990s.

One Goldman Sachs analyst said that WSB’s lust for buying call options — a type of investment that gives the buyer the right (but not the requirement) to purchase a stock at a predetermined price in the future — is “definitely moving the needle.”

WSB community favorites like Virgin Galactic and Tesla have indeed faired incredibly well this year , despite the coronavirus pandemic, but Bloomberg cited a more concrete example of the subreddit’s apparent power: the case of Lumber Liquidators, whose share price pumped more than 18% after a WSB poster laid out a bullish case for its stocks.

As for Musk, it’s certainly fun to believe that anything can happen, especially considering how vocal he’s been about the world’s response to the COVID-19 threat.

Another thing to consider is that Musk’s last interview (the one with the blunt) was live, while this one is pre-recorded. It’s still unclear as to exactly when this latest episode was filmed.

Indeed, today’s JRE could also just as likely be a tame affair. After all, Musk promised NASA chief Jim Bridenstine that he’d totally behave , and he also has a newborn baby. How crazy can it get?

You can watch Musk‘s second appearance at 09:00 PST via the JRE’s YouTube page here .

Hunter Jones

Hunter Jones

Next Post

Leave a Reply

Your email address will not be published. Required fields are marked *