Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat. "The campaign deploys a benign container generated using the Commando project," Cado security researchers Nate Bill and Matt Muir said in a new report published today. "The attacker escapes this container and runs multiple payloads on the Docker host." The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on another activity cluster that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software. Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider (CSP) credentials, and launching the miner. The foothold obtained by breaching susceptible Docker instances is subsequently abused to deploy a harmless container using the Commando open-source tool and execute a malicious command that allows it to escape the confines of the container via the chroot command. It also runs a series of checks to determine if services named "sys-kernel-debugger," "gsc," "c3pool_miner," and "dockercache" are active on the compromised system, and proceeds to the next stage only if this step passes….Read More