FIRST PUBLIC EVIDENCE: RedTail Cryptominer Targets Docker APIs

A recent discovery via a honeypot has revealed that the RedTail cryptominer is now targeting exposed Docker APIs on port 2375/tcp. This marks a significant expansion of RedTail's attack surface, which was previously known for exploiting vulnerabilities in PHP, PAN-OS, and Ivanti products. The user who made this discovery confirmed the Command and Control (C2) IP address and User-Agent associated with RedTail, providing concrete evidence of this new targeting method. Notably, no prior public documentation has mentioned RedTail targeting Docker APIs, making this the first public evidence of such activity. The implications of this development are substantial. Docker APIs, particularly when exposed on unencrypted ports like 2375/tcp, present a lucrative target for cryptominers. These APIs, if not properly secured, can allow attackers to deploy malicious containers, leading to resource exhaustion and potential data breaches. The discovery underscores the importance of securing Docker environments, including the use of encrypted communication channels and robust authentication mechanisms. From a cybersecurity perspective, this finding highlights the evolving nature of malware threats. Even well-documented malware families like RedTail can adapt and target new vectors, necessitating continuous threat intelligence and proactive defense strategies. Organizations should conduct regular audits of their exposed services and implement stringent security measures to mitigate such risks. This incident also underscores the value of honeypots in threat detection. By deploying decoy systems, researchers can uncover new attack vectors and gather valuable intelligence on emerging threats. For cybersecurity professionals, this serves as a reminder to remain vigilant and adaptable in the face of evolving threats.