Security researchers have discovered a cryptojacking worm that propagates using containers in the Docker Engine (Community Edition) and has spread to more than 2,000 vulnerable Docker hosts.
“The attacker compromised an unsecured Docker daemon, ran the malicious Docker container pulled from Docker Hub, downloaded a few scripts and a list of vulnerable hosts from C2 and repeatedly picked the next target to spread the worm,” Palo Alto Networks’s Unit 42 researchers explained.
A worm named Graboid
Dubbed Graboid by the researchers, the worm carries out cryptojacking inside containers, spreads a few host at a time, and mines Monero in short bursts.
“It randomly picks three targets at each iteration. It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target,” the researchers cryptojacking compromised docker hosts security
