Techno, Intuisi Blog – A new initiative targeting vulnerable Docker services, which includes an XMRig miner, as well as the 9hits viewer application for compromised hosts. This allows two different ways to earn money.
9hits is a traffic exchange platform that allows members can direct traffic to other’s websites.
The traffic generated is created by the 9hits viewer application that members install on their’ mobile devices. It makes use of the headless Chrome instance to browse websites that are requested by other members. As a result, members earn credits that are paid for by paying for the traffic they receive to their sites.
A campaign was that was discovered through Cado Security, attackers deploy the 9hits Viewer app to compromised Docker hosts to create credits, utilizing the system’s resources to generate traffic, in the 9hits traffic exchange.
“This is the first documented case of malware deploying the 9hits application as a payload,” says a study from Cado Security shared with BleepingComputer.
Docker Attack details
Although it’s unclear what the attackers are looking for in ways to attack systems, Cado believes the attackers are likely to use a scanner for networks software such as Shodan to find vulnerable servers, and then break into them for the purpose of deploying malicious containers through an API called the Docker API.
The containers are images taken from Dockerhub in order to minimize the possibility of suspicion. The spreader script which was compiled in Cado’s Docker honeypot makes use of Docker’s CLI for setting the variable DOCKER_HOST and makes the standard API methods to fetch and then run the containers.
The 9hits container executes the script (nh.sh) that uses the session token that allows it to authenticate, and then generate credits for the attacker through accessing a list of sites.
The system of session tokens is developed to function in a safe manner even in non-secure environments that allows attackers to make money, without being banned.
The attackers have set specific arguments for the 9hits app, such as allowing popups or visiting adult sites but disallowing cryptocurrency-related sites.
Another container is home to an XMRig mining machine that produces Monero cryptocurrency to help the attacker by using cloud resources.
The mining company connects to an anonymous mining pool, which makes tracing the extent of the operation or profit difficult. Cado observes that the domain being used to host the mining pool could indicate that attackers could use dynamic DNS services in order to keep their control.
“The main impact of this campaign on compromised hosts is resource exhaustion, as the XMRig miner will use all available CPU resources it can while 9hits will use a large amount of bandwidth, memory, and what little CPU is left,” says Cado Security in the report.
“The result of this is that legitimate workloads on infected servers will be unable to perform as expected.”
The hacking campaign uncovered by Cado indicates that the threat actors continuously look for new sources of monetization that aren’t traditional such as crypto mining, varying their tactics, and pursuing increasingly obscure avenues.
Platforms used by criminals such as 9hits require stricter security controls and procedures to ensure that there is no unauthorized usage of their applications that could result in financial loss and disruption for organizations.
Companies that invest in cloud computing have to navigate through an intricate landscape.
This requires zero-trust systems cloud workload protection platforms (CWPP) and Cloud Security Posture Management (CSPM) for better visibility, control configurations and secure assets that are exposed.
