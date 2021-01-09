erek
"Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.
This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.
Oliveira points out that with the addition of this feature, "implementing [Docker] API authentication is not enough" and that companies should make sure Docker management APIs aren't exposed online in the first place, even when using strong passwords.
But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists."
https://www.zdnet.com/article/a-crypto-mining-botnet-is-now-stealing-docker-and-aws-credentials/
