Hackers have successfully attacked hundreds of unpatched Docker hosts to run cryptomining scripts, according to a new report released Monday by security firm Imperva Inc.

The new wave of attacks on Docker has come about following the disclosure of a vulnerability in February known as CVE-2019-5736, a runC flaw that allows an attacker to secure host root access in a Docker container. Once through the door, the attackers can do whatever they please, but cryptojacking seems to be the activity of choice.

Using the Shodan search engine, the researchers found 3,822 Docker hosts with their remote application programming interface open and public. Attempts to connect to the hosts via port 2735 resulted in 400 successful connections.

“We found that most of the exposed Docker remote API IPs are running a cryptocurrency miner for a currency called Monero,” the researchers said. “Monero transactions are obfuscated, meaning it is nearly impossible to track the source, amount, or destination of a transaction.”

Although in this case cryptojacking is highlighted, the researchers warn that the same unpatched Docker hosts are also vulnerable to botnet connections, the theft of data, pivot attacks and the creation of host services for phishing campaigns. In short, unpatched Docker hosts are leaving their doors open to all sorts of nefarious activities.

Along with obviously always installing the latest security updates — a patch for the vulnerability being used in these attacks was released Feb. 12 — the researchers concluded that Docker can be configured to protect against these types of attacks.

“Exposing Docker ports can be useful and may be required by third-party apps like ‘portainer,’ a management UI for Docker,” they concluded. “However, you have to make sure to create security controls that allow only trusted sources to interact with the Docker API.”

Image: Imperva