Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks

Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.

Cybercriminals are ramping up their attacks on the Docker Engine — the software foundation of the container infrastructure used by many cloud-native companies. Researchers flagged a pair of cyber campaigns this week that showcase the increasing risk, including a compromise aimed at launching denial-of-service (DoS)) attacks on Russian targets.
On May 5, researchers at cloud-management platform Uptycs said that attackers compromised the firms honeypot, a Docker server configured to allow connections through the remote Docker API. The attacks resulted in the cybercriminals installing cryptomining software and creating a reverse shell, which would have allowed them to explore the server in real time.
The company has detected 10 to 20 attempts to compromise the honeypot server every day, suggesting that attackers have increased their interest in Docker-based infrastructure, says Amit Malik, director of threat research at Uptycs.
We configured one of our machines as a honeypot, and within three hours, we saw it compromised, so we had to shut it down and rebuild it, Malik says. The infection point is very rapid.
The attacks on
Uptycs Docker-based infrastructure are not unique
. The incidents are happening to other companies as well.
Unwitting Hosts to Hostile DoS Activity Against Russia
Honeypots maintained by cybersecurity services firm CrowdStrike experienced similar attacks through the Docker remote API, generally assigned to port 2375 or 2376, according to
an analysis of an attack posted on May 4
.
CrowdStrike researchers revealed that attackers compromised its honeypots through the open Docker API and then installed two malicious container images that were used to to attack Russian and Belarusian sites.
The target lists include the websites of the Russian and Belarusian governments, military, media, and retail sectors, as well as Russian mining, manufacturing, chemical, and technology sectors, according to CrowdStrike.
Both DoS-enabling containers are hosted on Docker Hub. One of the images has been downloaded more than 100,000 times; the second has been downloaded 50,000. CrowdStrike researchers noted that the portion of these downloads that originated from compromised machines is unknown.
The use of compromised infrastructure has far-reaching consequences for organizations that may unwittingly be participating in hostile activity against Russian government, military, and civilian targets, the firm warned. Any investigation into the attack by Russian intelligence will likely point back to the victims server, says Adam Meyers, vice president of intelligence at CrowdStrike.
It is a little different when they are using your infrastructure to attack a third party, he says. If [Russia or Belarus] starts looking at these attacks, they might say, Oh, they are DoSing us, so we will DoS them.
Security Needs to Focus on Docker Threats
While Docker is well known in the development and DevOps communities, security professionals may not be as aware of the potential for insecure configurations or vulnerabilities to undermine enterprise security, Meyers says.
The attack surface is concerning: In December, security startup Prevasio found that
51% of the 4 million images they scanned on Docker Hub
included packages that had a critical security vulnerability. On the misconfiguration front, while exposing the remote Docker API is not a common configuration — currently Shodan counts 803 assets exposing port 2375 — the relatively frequent scanning of the port means that any misconfiguration would be exploited quickly.
It is a relatively new technology, and with any new technology there is a security curve that goes with that, Meyers says. There is a general lack of awareness around the threat, and that is the thing that we are trying to raise the flag with here. You need to take Docker security seriously.
More Visibility Needed into Docker
To understand their level of risk, businesses should ensure that they can adequately monitor the attack surface area of assets such as Docker, Kubernetes servers, and DevOps-related infrastructure, says Siddharth Sharma, a researcher at Uptycs.
Most of these attacks go unnoticed because people might not have a comprehensive security solution monitoring their Docker infrastructure, he says. So the attacker will not be detected as often, unless something goes wrong. But often the types of [payloads] they install are not obvious.
Last year, Docker changed the licensing terms of Docker Desktop, moving to a subscription model and arguing that the shift will
help the company support more security features and audits
. The move came two years after the company split, dividing into Docker — focused on development with Docker Hub and Docker Desktop — and the enterprise infrastructure components of Docker Enterprise, which was sold to Mirantis.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks