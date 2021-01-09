A crypto-mining botnet is now stealing Docker and AWS credentials

"Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.

This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

Oliveira points out that with the addition of this feature, "implementing [Docker] API authentication is not enough" and that companies should make sure Docker management APIs aren't exposed online in the first place, even when using strong passwords.

But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists."

https://www.zdnet.com/article/a-crypto-mining-botnet-is-now-stealing-docker-and-aws-credentials/
 
I wrote a rant only to calm down by the end of it, it comes down to this if you are doing security the same way you were 3 years ago then your security is garbage and you are asking to be hacked. It's not enough to protect things behind a username and password, you need port filtering paired with application ID filtering, and strict IP permission sets. No longer can you have your admin portal accessible from the outside, if you can access the admin portal then so can anybody else and it doesn't matter how good you think your username and password combination is, they will find a way around it, or to steal it.
 
Lakados said:
I wrote a rant only to calm down by the end of it, it comes down to this if you are doing security the same way you were 3 years ago then your security is garbage and you are asking to be hacked. It's not enough to protect things behind a username and password, you need port filtering paired with application ID filtering, and strict IP permission sets. No longer can you have your admin portal accessible from the outside, if you can access the admin portal then so can anybody else and it doesn't matter how good you think your username and password combination is, they will find a way around it, or to steal it.
did you save the rant anywhere? just curious
 
