Forum: RetroDigital BBS

Hackers abuse TOR network

From Mike Powell@1:2320/105 to All on Thu Sep 11 09:04:40 2025

Hackers abuse TOR network and misconfigured Docker APIs to steal crypto - so keep an eye on your wallet

Date:
Wed, 10 Sep 2025 14:00:00 +0000

Description:
A major cryptojacking campaign, possibly turning into a botnet, was seen in
the wild.

FULL STORY

Cybercriminals are targeting exposed Docker APIs to install cryptojackers,
scan the internet for more potential victims, and possibly even build out a botnet.

Recently, security researchers from Akamai wrote an in-depth report about a
new campaign, seemingly a continuation of a similar one that was spotted by Trend Micro in late June 2025.

The campaign revolves around looking for servers with Dockers API exposed on port 2375. Once identified, the crooks create a new container and pull down a script from a hidden TOR browser (.onion) website.

Cryptojacking botnet

The script tweaks systems settings to establish persistence, installs
scanning software like Masscan, and drops additional malware . This malware then scans the internet for other exposed instances, repeating the infection process.

The malware also has code that could attack Telnet (port 23) and Chromiums debugging port (9222). For the former, it would brute-force weak routers and other devices, while for the latter it could hijack browser sessions and
steal cookies and other data.

These parts arent active yet, but the code suggests they may be enabled
later, the researchers said.

Right now, the campaign is mostly about cryptojacking - the instances are hijacked to mine the Monero cryptocurrency. But the extra code hints that attackers want to expand it into a botnet, which could steal data or launch large-scale DDoS attacks .

To prevent and mitigate these attacks, Akamai suggests four things every IT team can do. First, they should isolate the Docker environment from other
parts of the network, since this limits the ability of the attackers to move laterally. They should also make sure they expose as few services as possible to the internet.

This malware exploits the ports 2375, 9222, and 23 by accessing these from
the internet, and blocking such access can totally mitigate the threat, they said. Furthermore, when using the Chrome debugger port (9222), IT teams
should use specific remote IP addresses instead of 0.0.0.0. and finally, when installing a new device, they should make sure to change the default credentials to something stronger.

Via The Hacker News

======================================================================
Link to news story: https://www.techradar.com/pro/security/hackers-abuse-tor-network-and-misconfig ured-docker-apis-to-steal-crypto-so-keep-an-eye-on-your-wallet

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

Who's Online
Recent Visitors
- Vintagegeek
  Fri Sep 12 05:39:30 2025
  from Swarthmore, Pa via Telnet
- Dextile
  Thu Sep 11 22:46:09 2025
  from Calgary, Ab via Telnet
- Dextile
  Thu Sep 11 21:40:08 2025
  from Calgary, Ab via Telnet
- Dextile
  Thu Sep 11 15:05:03 2025
  from Calgary, Ab via Telnet

System Info

Sysop:	deepend
Location:	Calgary, Alberta
Users:	278
Nodes:	10 (0 / 10)
Uptime:	01:16:02
Calls:	2,369
Files:	5,012
D/L today:	12 files (2,735K bytes)
Messages:	430,700

Synchronet Oneliners
- Vintagegeek@rdbbs
  Fri Aug 22 05:53:33 2025
  OpenWide
- Serpentchain@rdbbs
  Tue Sep 2 20:21:16 2025
  Glowing Apple Hums,
- Serpentchain@rdbbs
  Tue Sep 2 20:21:26 2025
  Telnet Whispers Through The Night,
- Serpentchain@rdbbs
  Tue Sep 2 20:21:35 2025
  BBS Dreams In Code.
- Vintagegeek@rdbbs
  Wed Sep 3 11:26:08 2025
  Heading to Banf f f
- Vintagegeek@rdbbs
  Wed Sep 10 08:01:00 2025
  Calgary next

Hackers abuse TOR network

Who's Online

Recent Visitors

System Info

Synchronet Oneliners