The recent revelation of the OracleIV DDoS botnet targeting Docker Engine API instances raises concerns about the security of publicly accessible containers.
Exploiting Docker’s Achilles Heel
Attackers are taking advantage of a vulnerability in Docker’s API, allowing them to deploy a malicious container named ‘oracleiv_latest.’
As a MySQL image, this container has been pulled 3,500 times to date. However, Python malware, cleverly disguised as an ELF executable, lies beneath the surface.
The attack begins with an HTTP POST request to Docker’s API, fetching the malicious image from Docker Hub. From there, a command is executed to retrieve a shell script (‘oracle.sh’) from a command-and-control (C&C) server.
Docker Hub, as a hosting platform, streamlines the deployment process, making it challenging to detect and counteract swiftly.
DDoS Layered Approach
OracleIV’s arsenal of DDoS attack techniques embedded within the malicious container sets it apart. The shell script, concise yet powerful, incorporates functionalities for executing DDoS attacks, including slow loris, SYN floods, and UDP floods.
Although no cryptocurrency mining activities were observed, the script demonstrates a well-crafted toolset for disruptive actions.
Organizations must prioritize the security of Docker instances by implementing robust access controls and regularly auditing configurations.
Vietnamese Threat Actors Target Indian Marketing Professionals with Ducktail Stealer Malware
In a cybercrime campaign between March and early October 2023, Vietnamese threat actors associated with the Ducktail stealer malware have shifted tactics, aiming to hijack the Facebook business accounts of marketing professionals in India.
The attackers employed Delphi as the programming language, a departure from their previous reliance on .NET applications.
The Ducktail ecosystem, including Duckport and NodeStealer, operates out of Vietnam, leveraging sponsored ads on Facebook to spread malicious content and compromise victims’ login cookies.
The primary objective is to gain unauthorized access to Facebook Business accounts, enabling the attackers to place fraudulent ads for financial gain.
Google Takes Legal Action Against Scammers Exploiting Public Interest in AI Tools
With Ducktail’s strategic shift, Google has filed a lawsuit against unknown individuals in India and Vietnam for capitalizing on public interest in generative AI tools.
The scammers used deceptive browser extensions related to AI tools like Bard to spread malware via Facebook, extracting social media login credentials.
The lawsuit alleges that the defendants distributed links through social media ads and pages, redirecting users to websites where malware-infected RAR archives could be downloaded.
In a separate development, Proofpoint identifies the Middle Eastern threat actor TA402, also known as Molerats or Gaza CyberGang, employing a new initial access downloader called IronWind.
Exploiting Google Forms for Cryptocurrency Scams: Cisco Talos Reveals Creative Tactics
Cisco Talos reveals a novel tactic employed by cybercriminals, exploiting the “Release scores” feature of Google Forms quizzes to deliver emails orchestrating elaborate cryptocurrency scams.
Image description: An example of a recent spam campaign utilizing the “Release scores” feature of Google Forms quizzes.
By originating emails from Google’s servers, threat actors may bypass anti-spam protections, increasing the likelihood of reaching victims’ inboxes. This creative approach underscores the adaptability of cybercriminals in devising new methods to achieve their objectives.
Legitimacy Is Not Proved By Name!
What did we learn from these past events? Using a well-known name such as Google does not prove the legitimacy of any form, quiz, or link.
What must you do then? Embrace advanced threat intelligence tools and engage in continuous workforce training to promote resilience. Implement a culture of proactive cybersecurity to stay ahead. Most importantly, be vigilant for your security.
Marrium Akhtar
November 15, 2023
6 months ago
