Hackers Found Your Docker. Then They Found Your Wallet.

How Misconfigured Docker APIs Became a Goldmine for Cryptojackers

Introduction: When Misconfiguration Meets Monetization

Docker has become the backbone of modern development — fast, lightweight, and incredibly flexible. But when misconfigured, it becomes an open door to your infrastructure. In a recent campaign uncovered by Trend Micro, attackers exploited exposed Docker APIs to launch a sophisticated cryptojacking operation — hiding behind Tor, modifying system configs, and deploying XMRig miners.

This One Docker Setting Could Cost You Thousands in Crypto Mining Fees

Let’s break down exactly how this attack works — step-by-step — and what you need to do to avoid being the next crypto-farm.

---

The Attack Chain: Step-by-Step Breakdown

---

Step 1: Scanning for Exposed Docker APIs

Attackers start by scanning the internet for Docker daemons exposed on TCP (usually port 2375) without authentication.

The IP 198.199.72[.]27 initiates a request to list containers on the victim's machine.

• 🛑 If no containers are found, they move to the next stage: creating their own.

---

Step 2: Spawning a Malicious Container

They spin up a new container using the Alpine Linux image and mount the host’s / directory (/hostroot) into it.

This grants read/write access to the host file system, essentially breaking container isolation — a container escape waiting to happen.

---

Step 3: Setting Up Tor Inside the Container

The attacker executes a Base64-encoded shell script during container creation. It:

• Installs Tor

• Routes all traffic using socks5h (Tor proxy)

• Connects to a hidden .onion domain to download a second-stage script

This adds an anonymity layer that masks attacker activity and hides the command-and-control (C2) server.

---

Step 4: Deploying docker-init.sh

Once inside, they launch the main payload: a shell script (docker-init.sh) that:

• Verifies /hostroot mount

• Modifies SSH config to:

  • Enable root login

  • Drop in their own SSH keys for persistent access

This means even if the Docker API is secured later, the attacker can still log in remotely.

---

Step 5: Tooling Up

To make things stick, they install:

• masscan – to scan for more targets

• libpcap, torsocks, zstd – to aid stealth and data exfil

• Monitoring beacon to the C2 server about the infected host

These tools prep the environment to avoid detection and expand reach.

---

Step 6: Cryptomining with XMRig

Finally, they pull down and run a custom XMRig miner:

• Includes mining pool URL

• Attacker-controlled wallet address

• Pre-configured for max efficiency in stealth mode

Now your cloud bill is their profit margin.

---

Why It’s Dangerous: More Than Just Crypto

Yes, the immediate goal is crypto. But this attack:

• Grants root-level access to your host

• Uses Tor to evade logging and tracing

• Allows for lateral movement within your cloud or hybrid infra

• Turns your system into a launchpad for broader attacks

---

The Bigger Picture: Cloud Misconfigurations Are the Real Risk

This isn’t just a Docker issue. It’s part of a broader trend:

Wiz recently found hundreds of valid secrets (API keys, passwords, tokens) in .env, mcp.json, and Jupyter notebooks on public repos.

Many AI-generated tools (and careless commits) now expose sensitive data that attackers love to collect and correlate.

---

🛡️ Defense Checklist: Stop the Bleed

Want to avoid being turned into a crypto farm? Here's how:

✅ Lock Down Docker APIs:

• Don’t expose port 2375 to the internet

• Use TLS and authentication

• Bind to localhost if remote access isn’t required

✅ Use Runtime Security Tools:

• Falco, Sysdig, or Datadog to detect suspicious container behavior

• Monitor for mounting host directories or downloading from .onion domains

✅ Block Outbound Tor Connections:

• Use firewall rules or cloud egress controls to block Tor entry/exit nodes

✅ Audit for SSH Key Injection:

• Regularly inspect ~/.ssh/authorized_keys

• Watch for unexpected changes in /etc/ssh/sshd_config

✅ Scan for Secrets in Repos:

• Use GitGuardian, Gitleaks, or built-in GitHub secret scanning

• Rotate and revoke exposed credentials immediately

---

Conclusion: Cloud is Fast — But Attackers Are Faster

This attack shows just how fast and surgical modern cyber threats can be. One open Docker port = full host takeover, persistent access, and a cryptomining operation that costs you money and them nothing.

Don’t give them the keys. Secure your containers. Monitor your cloud.