• itscybernews
  • Posts
  • Understanding the Commando Cat Cryptojacking Attack

Understanding the Commando Cat Cryptojacking Attack

How It Works, Who’s Vulnerable, and How to Protect Yourself

Author

The itscybernews Team
June 07, 2024

In partnership with

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

The Commando Cat Cryptojacking Attack

Understanding the Commando Cat Cryptojacking Attack: How It Works, Who’s Vulnerable, and How to Protect Yourself

In the ever-evolving landscape of cybersecurity threats, a new attack campaign named "Commando Cat" has emerged, targeting misconfigured Docker instances to deploy cryptojacking scripts. This blog post delves into the specifics of this attack, how it operates, the vulnerabilities it exploits, and how organizations can protect themselves.

What is the Commando Cat Attack?

Commando Cat is a sophisticated cryptojacking campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners. The attackers use a Docker image named cmd.cat/chattr, which retrieves the payload from their own command-and-control (C&C) infrastructure​​.

How the Attack Works

  1. Exploitation of Misconfigured Docker APIs:

    • The attackers scan for misconfigured Docker remote API servers. Once they identify a vulnerable instance, they deploy the cmd.cat/chattr Docker image​​.

  2. Payload Deployment:

    • This Docker image is used as a base to instantiate a container and then break out of its confines using the chroot command, which allows them to gain access to the host operating system​​.

  3. Cryptominer Installation:

    • The final step involves downloading a malicious miner binary using curl or wget from the C&C server. The binary is suspected to be ZiggyStarTux, an open-source IRC bot based on the Kaiten (aka Tsunami) malware​​.

Vulnerabilities Exploited

The Commando Cat campaign exploits vulnerabilities primarily in Docker and ThinkPHP applications. Specifically, it takes advantage of:

  • CVE-2018-20062: This vulnerability allows remote code execution in ThinkPHP applications, which can be exploited to install web shells​​.

  • CVE-2019-9082: Another ThinkPHP remote code execution vulnerability that enables attackers to inject and execute arbitrary code on the affected server​​​​.

Who is Vulnerable?

Organizations using Docker and ThinkPHP with misconfigured or unpatched instances are at significant risk.

Get smarter about crypto with MilkRoad’s 5 minute daily newsletter, read by 290,000+ people. Subscribe for free!

How to Protect Yourself

To mitigate the risk of falling victim to the Commando Cat attack, consider implementing the following security measures:

  1. Secure Docker Configurations:

    • Ensure Docker API is not exposed to the internet.

    • Use firewall rules to restrict access to Docker daemon.

    • Regularly update Docker and its components to the latest versions.

  2. Patch ThinkPHP Vulnerabilities:

    • Apply security patches for ThinkPHP applications as soon as they are released.

    • Regularly audit and update third-party libraries and frameworks used in development.

  3. Implement Network Security Measures:

    • Use intrusion detection and prevention systems (IDS/IPS) to monitor for suspicious activities.

    • Employ network segmentation to limit the spread of an attack if a container is compromised.

  4. Monitor and Audit Logs:

    • Continuously monitor logs for unusual activity that could indicate an attempted or successful compromise.

    • Implement automated tools to alert administrators of potential security incidents.

  5. Regular Security Training:

    • Educate staff about the latest security threats and best practices.

    • Conduct regular security drills and audits to ensure compliance with security policies.

By staying informed and proactive, organizations can significantly reduce the risk of being targeted by cryptojacking attacks like Commando Cat. Ensuring robust security practices and timely patching of vulnerabilities are critical steps in defending against these sophisticated threats.

If you want to start your own newsletter and want to start earning straight away, please feel free to use my affiliate link here.

Other news

1. Los Angeles Unified School District Investigates Data Theft Claims

The Los Angeles Unified School District (LAUSD) is investigating claims by a threat actor that they are selling stolen databases containing records of millions of students and thousands of teachers. The district is working to assess the validity of these claims and the potential impact on their systems.

2. Chinese Hacking Groups Team Up in Cyber Espionage Campaign

Multiple Chinese hacking groups have been observed collaborating in a sophisticated cyber espionage campaign. These groups are targeting government and private sector entities worldwide, using advanced techniques to infiltrate and exfiltrate sensitive information. This development underscores the increasing complexity and coordination in state-sponsored cyber activities.

Source: The Hacker News​​

3. FBI Recovers 7,000 LockBit Keys, Urges Ransomware Victims to Reach Out

The FBI has successfully recovered 7,000 decryption keys from the LockBit ransomware group. Victims of LockBit ransomware are encouraged to reach out to the FBI to recover their encrypted data. This recovery is part of ongoing efforts to combat ransomware and support affected organizations.

Source: BleepingComputer​​

4. Kali Linux 2024.2 Released with 18 New Tools and Y2038 Changes

The latest version of Kali Linux, 2024.2, has been released, featuring 18 new tools and modifications to address the Y2038 bug. This release aims to enhance the capabilities of cybersecurity professionals and researchers by providing updated tools and improved system stability.

Source: BleepingComputer​​

5. New Gitloker Attacks Wipe GitHub Repos in Extortion Scheme

Attackers have launched a new extortion scheme targeting GitHub repositories. These Gitloker attacks involve wiping the contents of repositories and demanding the victims contact them via Telegram for further instructions. This highlights the importance of regular backups and robust security practices for code repositories.

Source: The Hacker News​​​​