Full Report
CrowdStrike uncovered a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog”-themed mining pool domains.Nicknamed “Kiss-a-dog,” the campaign used multiple comman...
Analysis Summary
# Threat Actor: 🐶WatchDog (Associated with Kiss-A-Dog Campaign)
## Attribution & Identity
**Identification:** The threat activity is associated with the "Kiss-a-dog" cryptojacking campaign, attributed to the actor **🐶WatchDog**.
**Known Aliases and Groups:** The article links this campaign to 🐶WatchDog.
## Activity Summary
The activity centers around the **Kiss-A-Dog campaign**, which is a cryptojacking operation discovered by CrowdStrike targeting vulnerable Docker and Kubernetes environments. The campaign aggressively seeks to hijack compute resources for cryptocurrency mining. The operation involves initial compromise, container escape, deployment of mining software, and attempts to establish persistence and evade detection using rootkits.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting an exposed Docker socket.
- **Execution/Privilege Escalation:** Container escape, including exploiting host mounts.
- **Defense Evasion:** Use of user-mode and kernel-mode rootkits to hide mining activity.
- **Persistence:** Utilizing a Redis service as a backdoor mechanism.
- **Lateral Movement:** Observed attempts to move laterally within the network.
- **Resource Hijacking:** Deploying cryptominers to achieve the final objective.
**(MITRE ATT&CK IDs were not provided in the source text, so they are omitted.)**
## Targeting
- **Sectors:** Cloud compute environments (specifically Docker and Kubernetes infrastructure).
- **Geography:** Not explicitly detailed, but targeting cloud infrastructure suggests a wide potential scope.
- **Victims:** Organizations utilizing vulnerable Docker/Kubernetes deployments for cryptocurrency mining.
## Tools & Infrastructure
- **Malware Families/Tools:** Cryptominer, user-mode rootkits, kernel-mode rootkits, Redis (used for backdoor/persistence).
- **Infrastructure (C2, Domains):** Used obscure domains in the payload and anonymized, "dog"-themed mining pool domains. (Specific C2 domains/IPs were not listed and must remain defanged/unspecified).
## Implications
This campaign poses a significant risk to organizations running containerized workloads (Docker/Kubernetes) due to its reliance on easily exploitable initial access points (exposed Docker sockets). The use of container escapes and kernel-mode rootkits indicates a sophisticated attempt to subvert the host system and maintain long-term access for resource theft.
## Mitigations
- Secure Docker and Kubernetes configurations, especially regarding exposed sockets and host mounts.
- Implement container security monitoring to detect container escape attempts and unauthorized process execution (like rootkits).
- Regularly audit running containers for the presence of unexpected mining processes or backdoors (like unintended Redis instances).
- Employ network segmentation and strong egress filtering to limit lateral movement and contact with known mining pools.