{"id":355317,"date":"2025-05-22T11:04:47","date_gmt":"2025-05-22T05:34:47","guid":{"rendered":"https:\/\/www.technologyforyou.org\/?p=355317"},"modified":"2025-05-22T11:04:47","modified_gmt":"2025-05-22T05:34:47","slug":"kaspersky-uncovers-dero-crypto-miner-spreading-via-exposed-container-environments","status":"publish","type":"post","link":"https:\/\/www.technologyforyou.org\/kaspersky-uncovers-dero-crypto-miner-spreading-via-exposed-container-environments\/","title":{"rendered":"Kaspersky uncovers Dero crypto miner spreading via exposed container environments"},"content":{"rendered":"<p class=\"ArticleBody_date__rpGhG\"><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs \u2014 parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost 500 occurrences worldwide on average each month. In the discovered campaign, cybercriminals inject two types of malwares into the compromised systems: one is the miner itself and the other is a propagation malware that can spread the campaign to other insecure container networks.<\/span><\/p>\n<div class=\"ArticleBody_articleContainer__Sz0LX\">\n<div class=\"ArticleBody_articleBody__gN8bN\">\n<div class=\"ArticleBody_content__tiVdv ArticleBody_withContentAbove__RyYxL\">\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">Kaspersky experts discovered this malicious campaign as part of a compromise assessment project. According to expert estimates, any organization that operates containerized infrastructure \u2014 while exposing Docker APIs without robust security controls \u2014 can be a potential target. These may include technology companies, software development firms, hosting providers, cloud service providers and more enterprises.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">According to Shodan, in 2025, there are 485 published Docker API default ports<a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/kaspersky-uncovers-dero-crypto-miner-spreading-via-exposed-container-environments#_ftn1\"><sup>[1]<\/sup><\/a>\u00a0worldwide each month on average. This figure illustrates the campaign\u2019s potential attack surface by tallying the \u201centry points\u201d \u2014 or insecurely exposed ports that attackers might target. China accounted for the largest average number monthly \u2014 nearly 138 occurrences \u2014 followed by Germany (97), the U.S. (58), Brazil (16), and Singapore (13).<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">Once attackers identify an insecurely published Docker API, they either compromise existing containers or create new malicious ones based on a legitimate standard Ubuntu image. They then inject two malware types into the compromised containers:\u00a0\u201cnginx\u201d and\u00a0\u201ccloud\u201d. The latter is a Dero cryptocurrency miner, while\u00a0\u201cnginx\u201d is a malicious software that maintains persistence, ensures execution of the miner and scans for other exposed environments. This malware allows attackers to operate without traditional Command-and-Control (C2) servers; instead, each infected container independently scans the internet and can spread the miner to new targets.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\"><img decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/content.kaspersky-labs.com\/fm\/press-releases\/20\/20afec8f3b698a8c121fa8c7beb2e7ed\/processed\/scheme-q93.jpg\" alt=\"An infection chain scheme \" \/><\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\"><em>An infection chain scheme<\/em><\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">\u201cThis demonstrates that the campaign has the potential for exponential growth of infections, with each compromised container acting as a new source of attack, if security measures are not immediately put in place in the potentially targeted networks,\u201d explains <strong>Amged Wageh, an incident response and a compromise assessment expert at Kaspersky Security Services.<\/strong> \u201c\u0421ontainers are foundational to software development, deployment, and scalability. Their widespread use across cloud-native environments, DevOps, and microservices architectures makes them an attractive target for cyber attackers. This growing reliance demands organizations adopt a 360-degree approach to security \u2014 combining robust security solutions with proactive threat hunting and regular compromise assessments\u201d.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">The attackers embedded the names \u201cnginx\u201d and \u201ccloud\u201d directly in the binary \u2014 an inflexible executable file composed of instructions and data for the processor, not for humans. This is a classic masquerading tactic that lets the payload pose as a legitimate tool, trying to deceive both analysts and automated defenses.<\/span><\/p>\n<p><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">The full technical analysis is available\u00a0<a href=\"https:\/\/securelist.com\/dero-miner-infects-containers-through-docker-api\/116546\/\" target=\"_blank\" rel=\"noopener\">on Securelist<\/a>.<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Kaspersky Security Services experts have identified a sophisticated cyberattack campaign targeting containerized environments to deploy a miner for the Dero cryptocurrency. The attackers abuse exposed Docker APIs \u2014 parts of Docker, an open-source container development platform. In 2025, there are a significant number of Docker API default ports that are insecurely published, accounting for almost [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":268263,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[37380],"class_list":{"0":"post-355317","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","8":"tag-kaspersky-uncovers-dero-crypto-miner-spreading-via-exposed-container-environments"},"_links":{"self":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/355317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/comments?post=355317"}],"version-history":[{"count":0,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/posts\/355317\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media\/268263"}],"wp:attachment":[{"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/media?parent=355317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/categories?post=355317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.technologyforyou.org\/wp-json\/wp\/v2\/tags?post=355317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}