The prolific botnet, which previously targeted vulnerable Microsoft Exchange servers, is now gaining initial access via exposed Docker APIs.
Threat analysis firm Prevasio scanned the entire DockerHub and found that 51 percent of all container images had at least one critical vulnerability and 13 percent had at least one high-severity vulnerability. Researchers also identified 6,433 images that were malicious or potentially harmful.
An attack group TeamTNT is using Weave Scope, an open source cloud monitoring and control tool to compromise Docker and Kubernetes instances as part of a cryptocurrency mining operation, security company Intezer said.
A vulnerability in all versions of the Docker platform can give an attacker full read and write access to the host file system.
Docker revoked tokens linking GitHub and Bitbucket with Docker Hub accounts after discovering "unauthorized access" in its Hub database. Developers should check their code to ensure no unauthorized changes have been made.