Sep 30, 2025 – Lina Romero – In 2025’s fast-moving cyber landscape, attacks are everywhere and AI and APIs are the biggest targets. We’ve spoken before about hackers exploiting Docker Swarm to launch cryptomining attacks, but now attackers are using Docker APIs for other malicious purposes. It started this June. Trend Micro noticed abnormal activity in Docker’s APIs- attacks that started as requests to exposed APIs to retrieve a list of containers. The bad actors would then create a novel container to connect to the host root and carry out their attack on the host system. However, an encoded payload hidden in the initial request executes a shell script that sets up the Tor browser in the container and fetches a payload over the Tor network (Security Week). The attackers can then deploy a malicious shell script and modify the SSH configuration of the host system. At this point, the attackers deploy a binary acting as a dropper for an XMRig cryptocurrency miner and “all necessary execution stops internally, allowing it to deploy the miner without requiring the download of any external components” in order to avoid detection (Trend Micro). However, this was only the beginning- on September 8th of this year, hackers launched similar attacks, but with a twist: after carrying out the same initial steps, they proceeded to block external access to the Docker API by writing a command to the cron tab file to create a cron job that blocks its access every minute. From there, threat actors can perform mass scans for other open ports, and propagate malware in new containers using the exposed APIs. Researchers from Trend Micro determined that the attackers used AI in the creation of these tools. What is especially troubling is that these attacks are growing more advanced and may only continue to increase in volume and complexity. As AI and API attacks surge, Docker APIs are a popular target for attackers. Maintaining strong API security is the corner store of cybersecurity as a whole- after all, API security IS AI security. To learn more about securing AI and APIs, check out FireTail’s all-in-one approach. Set up a demo or start a free trial today.
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/09/docker-apis-targeted-firetail-blog/
