Kaspersky, a global cybersecurity company, recently identified a cryptocurrency mining malware campaign exploiting exposed Docker API ports. The attack goes beyond simple mining operations by featuring propagation capabilities that pose a serious threat to entire cloud infrastructures. In this article, we outline the security risks associated with exposed Docker APIs and share proactive defense strategies, including real-world detection insights based on Criminal IP.
Docker API Port Exposure
Docker is a core platform for implementing container-based services in DevOps environments. However, port 2375, which is used by the Docker daemon by default, poses a critical security vulnerability when exposed without Transport Layer Security (TLS) encryption. This misconfiguration enables unauthenticated external access, allowing attackers to create containers or execute arbitrary commands—posing a significant cybersecurity threat.
The recently identified attack abuses exposed Docker APIs to create malicious containers and inject two primary malware strains into the compromised environment.
cloud: a malicious binary designed to perform cryptomining operationsnginx: a self-spreading malware component that propagates across the infected infrastructure.
Particularly, this attack bypasses the use of a traditional C2 (Command and Control) server. Instead, the compromised containers autonomously scan the internet and spread the infection to other containers. This significantly complicates detection and mitigation efforts and poses a serious threat to cloud-based infrastructures.
Detecting Exposed Docker Port 2375 with Criminal IP
Public data indicates that an average of 485 Docker API ports are exposed to the internet every month. However, this number does not fully represent the actual attack surface. Many systems unintentionally expose ports during automated configuration or leave them open when transitioning from test to production environments.
Threat Intelligence (TI)-based solutions offer an effective way to identify an organization’s attack surface in advance. CTI platforms such as Criminal IP enable users to discover externally exposed Docker API ports using targeted queries.
Query for Detecting Exposed Docker API Port
Criminal IP Search Query: port:2375
According to Criminal IP’s search results, 104,149 instances of port 2375 were exposed worldwide, some of which allowed unauthorized access and exposed Docker container information, revealing a severe security vulnerability. The statistics on the right show that infrastructure from various countries, including the United States, China, South Korea, Germany, and Japan, is at risk.
This server is a real-world exposed asset detected through Criminal IP. It is running a Windows environment based on Microsoft-IIS 8.5 and has port 2375 open, returning HTTP 200 responses for the Docker REST API.
This allows unauthenticated external calls to Docker commands, opening the door to attacks such as:
- Listing containers
- Creating and executing malicious containers
- Lateral movement within the system
- Injecting cryptocurrency mining binaries
After connecting to the exposed port, the attacker creates a malicious container and injects cryptomining binaries such as ‘cloud’ and ‘nginx’. The infected container is capable of scanning the internet and propagating itself by compromising other containerized environments. This self-propagating malware evades standard security defenses and doesn’t rely on a conventional command-and-control (C2) server.
Preventing Exposure of Docker API Ports
Docker API port 2375 is often left open in development and testing environments for convenience, but its exposure to the public can pose a serious security threat. The following security measures should be taken to proactively mitigate potential risks.
- Block External Access – Restrict access to port 2375 using firewalls or cloud security groups to prevent unauthorized external connections.
- Enforce TLS Authentication and Encryption – Apply TLS certificates to secure Docker API communication. Enforce encrypted traffic and require mutual authentication between the client and server.
- Use Automated Scanning and CTI Tools – Automate the detection of exposed ports and abnormal behavior using CTI tools such as Criminal IP.
- Disable Unused Ports – Review environments to ensure unnecessary ports or services are disabled in production. Apply the principle of least privilege and disable unused API features.
FAQ
Q1. What happens if Docker port 2375 is exposed?
Port 2375 is the default port used by the Docker daemon for REST API communication. If it is exposed externally without authentication, anyone can interact with the API and gain control over Docker containers. This can result in a critical security breach.
- Unauthorized container execution: Containers can be created, deleted, or manipulated without any form of authentication.
- Deployment of malicious images: Attackers may deploy containers embedded with cryptojacking malware.
- Exposure of internal information: API responses can leak sensitive data such as container lists, image metadata, and API version details.
- Self-Propagating Malware Spread: A compromised container may scan internal networks to infect additional Docker environments.
- System Instability: High volumes of malicious requests may exhaust system resources, leading to degraded performance or complete outages.
Q2. How can you prevent Eexposure of Docker API port 2375?
Docker API port 2375 is open to unauthenticated external access by default. In cloud environments, this poses a serious security risk and must be addressed with proper configurations. Start by blocking external access to this port using firewalls or cloud security groups. Then, enforce encrypted communication by enabling TLS on the Docker daemon, which also ensures that only authenticated requests are accepted. Limit access to the Docker socket as much as possible, and disable any unnecessary API features to reduce the attack surface. Most importantly, implement continuous monitoring. Use CTI tools like Criminal IP to regularly scan for exposed ports and detect unusual activity early. This allows you to respond quickly before issues escalate.
Conclusion
Docker APIs are powerful tools for automating cloud services, but exposing port 2375 without proper authentication can open the door to serious threats. Recently, attackers have increasingly exploited this weakness to distribute cryptocurrency mining malware. These threats are becoming more sophisticated, with infected containers capable of propagating the malware to other systems. Relying solely on firewalls or port blocking is no longer sufficient. A multi-layered security approach is necessary—one that leverages CTI (Cyber Threat Intelligence) and ASM (Attack Surface Management) tools to continuously detect external exposure and identify anomalies before they escalate.
In relation to this, you can refer to CVE-2025-31324 in SAP NetWeaver: Critical RCE and Server Hijacking Alert.
Source: Criminal IP (https://www.criminalip.io/), Kaspersky (https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-dero-crypto-miner-spreading-via-exposed-container-environments)
Related article: