Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network

The Hacker News by The Hacker News
June 24, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Jun 24, 2025Ravie LakshmananCloud Security / Cryptojacking

Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments.

“Attackers are exploiting misconfigured Docker APIs to gain access to containerized environments, then using Tor to mask their activities while deploying crypto miners,” Trend Micro researchers Sunil Bharti and Shubham Singh said in an analysis published last week.

In using Tor, the idea is to anonymize their origins during the installation of the miner on compromised systems. The attacks, per the cybersecurity company, commence with a request from the IP address 198.199.72[.]27 to obtain a list of all containers on the machine.

If no containers are present, the attacker proceeds to create a new one based on the “alpine” Docker image and mounts the “/hostroot” directory – i.e., the root directory (“https://thehackernews.com/”) of the physical or virtual host machine – as a volume inside it. This behavior poses security risks as it allows the container to access and modify files and directories on the host system, resulting in a container escape.

Cybersecurity

The threat actors then execute a carefully orchestrated sequence of actions that involves running a Base64-encoded shell script to set up Tor on the container as part of the creation request and ultimately fetch and execute a remote script from a .onion domain (“wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion”)

“It reflects a common tactic used by attackers to hide command-and-control (C&C) infrastructure, avoid detection, and deliver malware or miners within compromised cloud or container environments,” the researchers said. “Additionally, the attacker uses ‘socks5h’ to route all traffic and DNS resolution through Tor for enhanced anonymity and evasion.”

Once the container is created, the “docker-init.sh” shell script is deployed, which then checks for the “/hostroot” directory mounted earlier and modifies the system’s SSH configuration to set up remote access by enabling root login and adding an attacker-controlled SSH key into the ~/.ssh/authorized_keys file.

The threat actor has also been found to install various tools like masscan, libpcap, zstd, and torsocks, beacon to the C&C server details about the infected system, and ultimately deliver a binary that acts as a dropper for the XMRig cryptocurrency miner, along with the necessary mining configuration, the wallet addresses, and mining pool URLs.

“This approach helps attackers avoid detection and simplifies deployment in compromised environments,” Trend Micro said, adding it observed the activity targeting technology companies, financial services, and healthcare organizations.

Cybersecurity

The findings point to an ongoing trend of cyber attacks that target misconfigured or poorly secured cloud environments for cryptojacking purposes.

The development comes as Wiz revealed that a scan of public code repositories has uncovered hundreds of validated secrets in mcp.json, .env, and AI agent configuration files and Python notebooks (.ipynb), turning them into a treasure trove for attackers.

The cloud security firm said it found valid secrets belonging to over 30 companies and startups, including those belonging to Fortune 100 companies.

“Beyond just secrets, code execution results in Python notebooks should be generally treated as sensitive,” researchers Shay Berkovich and Rami McCarthy said. “Their content, if correlated to a developer’s organization, can provide reconnaissance details for malicious actors.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Goldman Sachs and Citadel back crypto firm Digital Asset in 5 million funding round

Goldman Sachs and Citadel back crypto firm Digital Asset in $135 million funding round

Recommended.

Hush Security Selected for the 2026 CrowdStrike, AWS & NVIDIA Cybersecurity Startup Accelerator

Hush Security Selected for the 2026 CrowdStrike, AWS & NVIDIA Cybersecurity Startup Accelerator

January 5, 2026
Capital One is buying startup Brex for .15 billion in credit card firm’s latest deal

Capital One is buying startup Brex for $5.15 billion in credit card firm’s latest deal

January 22, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio