黑客瞄准易受攻击的 Docker 远程 API 服务器来挖掘加密货币

专家警告称，黑客正在瞄准易受攻击的 Docker 远程 API 服务器，并利用它们在底层硬件上挖掘加密货币。

Hackers are targeting vulnerable Docker remote API servers, and using them to mine cryptocurrencies on the underlying hardware, experts have warned.

专家警告称，黑客正在瞄准易受攻击的 Docker 远程 API 服务器，并利用它们在底层硬件上挖掘加密货币。

Cybersecurity researchers from Trend Micro stated the crooks took an “unconventional approach” with this attack, noting, "The threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host."

趋势科技的网络安全研究人员表示，骗子在这次攻击中采取了“非常规方法”，并指出，“威胁行为者使用 h2c 上的 gRPC 协议来逃避安全解决方案，并在 Docker 主机上执行加密挖掘操作。”

"The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities."

“攻击者首先检查 Docker API 的可用性和版本，然后继续请求 gRPC/h2c 升级和 gRPC 方法来操纵 Docker 功能。”

Which tokens are they mining?

他们正在开采哪些代币？

The experts explained that the crooks would first seek out public-facing Docker API hosts where HTTP/2 protocol can be upgraded. Then, they would send out a request to upgrade to the h2c protocol which, after conclusion, allows them to create a container. That container is ultimately used to mine cryptocurrencies for the attackers, via the SRBMiner payload, hosted on GitHub.

专家解释说，骗子首先会寻找可以升级 HTTP/2 协议的面向公众的 Docker API 主机。然后，他们会发出升级到 h2c 协议的请求，该协议结束后，允许他们创建一个容器。该容器最终用于通过 GitHub 上托管的 SRBMiner 负载为攻击者挖掘加密货币。

The researchers added the crooks used SRBMiner to mine the XRP token, native to the Ripple blockchain built by the company of the same name. However, XRP is a minted token that cannot be mined. We asked Trend Micro for clarification.

研究人员补充说，骗子使用 SRBMiner 来挖掘 XRP 代币，该代币源自同名公司构建的 Ripple 区块链。然而，XRP 是一种铸造代币，无法开采。我们要求趋势科技做出澄清。

SRBMiner uses algorithms like RandomX, KawPow for mining. It can generate a number of different tokens for its operators, but not XRP. Among the available tokens are Monero, Ravencoin, Haven Protocol, Wownero, and Firo.

SRBMiner 使用 RandomX、KawPow 等算法进行挖矿。它可以为其运营商生成许多不同的代币，但不能生成 XRP。可用的代币包括 Monero、Ravencoin、Haven Protocol、Wownero 和 Firo。

It’s safe to assume that the crooks were actually mining Monero, one of the most popular tokens among cybercriminals, given its advanced privacy and anonymity features. Monero is also commonly mined via the XMRig cryptojacker, and its ticker is XRM, quite close to XRP.

可以肯定的是，骗子实际上是在挖掘门罗币，门罗币是网络犯罪分子中最受欢迎的代币之一，因为它具有先进的隐私和匿名功能。门罗币也通常通过 XMRig 加密劫持者开采，其股票代码为 XRM，与 XRP 非常接近。

Trend Micro warned all users to secure their Docker remote API servers by implementing stronger access controls and authentication mechanisms, thus barring access to unauthenticated individuals. Furthermore, users are advised to monitor the servers for unusual activities, and implement best practices for container security.

趋势科技警告所有用户通过实施更强大的访问控制和身份验证机制来保护其 Docker 远程 API 服务器，从而禁止未经身份验证的个人访问。此外，建议用户监控服务器的异常活动，并实施容器安全的最佳实践。

Via The Hacker News

通过黑客新闻