A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency.
Cybersecurity company CrowdStrike dubbed the activity Kiss-a-dog, with its command-and-control infrastructure overlapping with those associated with other groups like TeamTNT, which are known to strike misconfigured Docker and Kubernetes instances.
The intrusions, spotted in September 2022, get their name from a domain named “kiss.a-dog[.]top” that’s used to trigger a shell script payload on the compromised container using a Base64-encoded Python command.
“The URL used in the payload is obscured with backslashes to defeat automated decoding and regex matching to retrieve the malicious domain,” CrowdStrike researcher Manoj Ahuje said in a technical analysis.
The attack chain subsequently attempts to escape the container and move laterally into the breached network, while simultaneously taking steps to terminate and remove cloud monitoring services.
images from Hacker News