The Docker cloud containerization technology is the target for a just-discovered cryptojacking worm dubbed Graboid.
According to researchers at Palo Alto’s Unit 42, the worm, which looks to mine the Monero cryptocurrency, has infected more than 2,000 unsecured Docker Engine (Community Edition) hosts so far, which are in the process of being cleaned. These are located mainly in China and the U.S.
Overall, the initial malicious Docker image has been downloaded more than 10,000 times, with the worm itself downloaded more than 6,500 times, according to Unit 42. Administrators can spot infections by looking for the presence of an image called “gakeaws/nginx” in the image build history.
“The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image [containing a Docker client tool used to communicate with other Docker hosts] was first installed to run on the compromised host,” the researchers wrote in a Wednesday post, adding that without any authentication or authorization, a malicious actor can take full control of the Docker Engine and the host.