We wanted to put out information on something we detected today that has also been seen by others. Upon responding to an unresponsive container, it was determined that a customers docker container was infected by the "Soft Cell" threat actor.
We are researching now to see if the container was infected prior to it being installed or if it was compromised after the fact. Traffic was being reported back to 45[.]9[.]150[.]36 and it also did domain lookups to borg[.]wtf and teamtnt[.]red domains (and a few others we have published in our threat intelligence feed).
We highly recommend looking for traffic to these domains or that IP address to determine if your containers may be affected by this issue.
Comments