Cryptomining Malware Moves into Software Containers


Security researchers at Palo Alto Networks have discovered the Graboid worm that spreads through Docker software containers and mines Monero cryptocurrency for the attackers.  This is a new tactic and territory for crypto-mining worms.  It is the first time such malware has been detected traversing software containers.


Once a core image repository is infected, anytime the image is pulled and used, the malware goes with it and is spawned to maliciously consume resources for crypto-mining.  Traditional security software rarely looks inside containers, so these instances can be active for as long as the container is in use.


Security recommendations:

  • Make sure the docker engine is not exposed to the internet without proper authentication controls
  • Use whitelisting where possible to identify and limit allowable incoming traffic sources
  • Tenaciously protect the software repositories from tampering or infection
  • Only pull images from trusted repositories
  • Setup monitoring of images and repositories to detect if they have been modified or acting in unauthorized ways

How do you rate this article?



Matthew Rosenquist
Matthew Rosenquist

Cybersecurity Strategist specializing in the evolution of threats, opportunities, and risks in pursuit of optimal security for our digital world.

Cybersecurity Tomorrow
Cybersecurity Tomorrow

Cybersecurity strategy perspectives for the emerging risks and opportunities of securing our digital world. The insights of today will lead to tomorrow's security, privacy, and safety foundations.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.