Hello, welcome to the Monday, November 26, 2018 edition of the Sands at Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

While many of you, like me, probably took the long weekend off.

Our European handlers stayed busy and published a number of interesting

posts over the last couple days. I want to point out one post in particular by Remko about

attacks against Docker APIs. Now, this is something I have mentioned before. By default, Docker doesn't actually listen

for network connections, but it can easily be configured to do so. If you decide to expose

Docker's HTTP interface on port 2375 TCP, be ready that you will be scanned.

And Remco is walking through an exploit attempt of Docker API.

The end result here is that NetHacker will be able to launch arbitrary Docker containers.

Of course, they're going to use this for crypto coin mining and in some cases attackers use the

Nkrock.io service in order to expose some of these internal servers in particular to then of

course have easier access to them and yes crypto coin mining certainly is still a thing among

attackers crypto coin prices have is still a thing among attackers.

Cryptocoin prices have been depreciating quite quickly lately,

but remember attackers, they don't pay for power,

so even if they get only a fraction of what they used to get in the past,

well, it's still worth it to them.

And Matthew Bing with Arbor Networks has a nice write-up about how the recent yarn vulnerability in her dupe is being exploited by botnets.

In particular, a Miri-like botnet apparently has zoomed in on this vulnerability and added it to its repertoire.

That's something we have seen with Mirai anyway where, yes, in the beginning it was just going after these simple telnet and SSH,

...