Cloud-native technologies like Docker have revolutionized how modern enterprises deploy applications—but they’ve also opened new doors for attackers. In recent months, cybersecurity researchers have uncovered an alarming surge in attacks targeting misconfigured Docker API instances, turning them into nodes in massive, resource-hijacking botnets designed to mine cryptocurrencies like Dero and Monero.
These campaigns are more than just opportunistic—they're automated, stealthy, and increasingly effective. Threat actors are exploiting public-facing Docker APIs to deploy malware, evade detection, and propagate rapidly across the internet.
At Digialert, we’ve observed a 40% increase in cryptojacking incidents targeting cloud workloads in 2024 alone, signaling a serious need for cloud-native security modernization.
This blog explores the mechanics of this attack vector, the risks it poses, and how businesses can defend their infrastructure before they become the next target.

The Vulnerability: Docker APIs Exposed

Docker’s remote API is designed to streamline container management. But when left unsecured or publicly accessible, it acts as a backdoor into your infrastructure.

Why Attackers Love Docker APIs:

• Default Port 2375 Often Exposed: Many instances are left accessible over the internet without authentication.
• Powerful Privileges: Docker APIs allow commands that can pull and run containers, mount host directories, and more.
• Poor Security Hygiene: In a rush to deploy, teams often skip security configurations like TLS or IP whitelisting.
• A 2023 report by Shodan revealed over 6,000 Docker hosts exposed online, with a large portion lacking even basic access controls. These are low-hanging fruits for threat actors.

Anatomy of the Attack: What Happens Behind the Scenes

Cybersecurity researchers, including Kaspersky and Digialert’s own incident response team, have analyzed the behavior of the malware used in this campaign. Here’s how it works:

1. Worm-Like Propagation

The attack starts by scanning the internet for Docker APIs on port 2375 using tools like masscan. Once a vulnerable target is found, the malware deploys a container that replicates the same scan-and-infect behavior, effectively making each infected host a propagation node.

2. Masquerading Malware

Processes are given deceptive names like "nginx" or "cron" to blend in with legitimate services. This reduces the chance of detection by both system administrators and traditional anti-malware tools.

3. Persistence & Expansion

The malware ensures it survives reboots by modifying .bash_aliases, setting up cron jobs, and configuring Docker containers with restart policies. Tools like masscan and docker.io are used to expand the botnet’s reach further.

4. Cryptocurrency Mining

The primary goal? Cryptojacking. The malware mines Dero, a lesser-known privacy coin designed for CPU-based mining. Other variants use XMRig to mine Monero. In some cases, the malware communicates with its operators via PyBitmessage, enabling decentralized command-and-control (C2) operations.

Stats That Tell the Story

• 6,000+ exposed Docker daemons were indexed by Shodan in 2023.
• A 2024 report by Kaspersky noted a 65% rise in cryptojacking botnets leveraging Docker APIs.
• Digialert's monitoring tools detected a 4x increase in container resource spikes attributable to unauthorized crypto miners in Q1 2024 alone.
• 50% of affected organizations were unaware their infrastructure had been compromised—until cloud costs spiked.

Why This Matters: Risks Beyond Resource Theft

While cryptojacking may not seem as devastating as ransomware or data exfiltration, its impacts are far from harmless.

1. Financial Impact

Mining operations hijack CPU, RAM, and GPU cycles, which translates directly into higher cloud bills—sometimes by 200–300%. AWS, Azure, and GCP customers pay for every cycle used.

2. Operational Disruption

High resource usage causes degraded application performance, service latency, and potential downtime, which could be mission-critical for businesses in sectors like e-commerce or finance.

3. Lateral Movement

Once inside, attackers may use the compromised container as a pivot point to move deeper into your environment, especially if it’s connected to Kubernetes clusters or CI/CD pipelines.

4. Regulatory Exposure

If your Docker host handles sensitive workloads or personal data, a breach—even indirect—could mean non-compliance with regulations like GDPR, HIPAA, or India’s Digital Personal Data Protection Act (DPDP Act).

Digialert’s Recommendations: How to Secure Docker Environments

Securing containerized environments requires more than just traditional perimeter defenses. Here’s a proven defense playbook:

1. Lock Down Docker APIs

• Disable public access unless absolutely necessary.
• Use TLS authentication for all API communications.
• Whitelist access to known IP addresses and restrict traffic on port 2375.

2. Enable Monitoring & Logging

• Use tools like Sysdig, Prometheus, or Falco to monitor container activity.
• Log all Docker API calls and forward logs to a centralized SIEM like Splunk or ELK Stack.
• Set up alerts for unexpected container deployments or traffic patterns.

3. Patch and Update Frequently

• Keep your Docker Engine and related tools up to date.
• Regularly apply security patches for system libraries, kernel modules, and third-party tools like masscan.

4. Implement Runtime Protection

• Use behavior-based detection platforms (e.g., Aqua Security, Wiz, or Datadog) to identify unauthorized behaviors like mining processes or unusual outbound connections.
• Leverage eBPF-based security tools for deep visibility into kernel-space actions.

5. Penetration Testing & Audit

• Perform routine container and API security audits.
• Validate your configurations against CIS Docker Benchmarks.
• Test lateral movement risks using red team simulations.

Digialert’s Take: The Frontline Experience

At Digialert, our MDR (Managed Detection and Response) team has handled multiple real-world incidents involving Docker API abuse in the past year. Many organizations only discovered the issue after receiving unusually high cloud bills or suffering unexplained performance lags.

One client, a mid-sized SaaS provider, saw their AWS bill increase by $15,000 in just one month due to hidden cryptominers running in containers. Our team traced the source to a publicly exposed Docker API with no access controls. Within hours, attackers had launched multiple containers per host, each mining Monero 24/7.

The incident was resolved with API lockdown, container hardening, and MDR integration. But it’s a stark reminder: misconfiguration is not a technical error—it’s a business risk.

Let’s Talk: Is Your Infrastructure Safe?

Securing container environments isn’t optional anymore—it’s foundational. Misconfigured APIs are like open vault doors in the digital world, waiting to be exploited.

We’d love to hear from you:

• Has your organization ever discovered unauthorized container activity?
• Are your Docker/Kubernetes environments protected with runtime monitoring?
• Do you regularly audit your infrastructure for exposed ports and APIs?

Drop your thoughts in the comments, share your experience, or connect with us for a free container security assessment.

Stay Connected for More Insights

As cyber threats evolve, so must our defenses. At Digialert, we’re committed to sharing actionable intelligence, hands-on security strategies, and expert analysis from the trenches.

• Follow Digialert for cutting-edge threat reports, security best practices, and updates on our MDR and vCISO offerings.
• Stay informed with VinodSenthil, cybersecurity leader and CEO of Digialert, who regularly shares insights from the frontlines of digital defense.