Darktrace researchers uncovered a cyber campaign dubbed **ShadowV2**, exploiting misconfigured **exposed Docker APIs** on **AWS EC2 instances**. Attackers leveraged the **Python Docker SDK** to interact with unsecured Docker daemons, deploying malicious containers directly on victims' systems instead of using prebuilt images—likely to minimize forensic evidence. The compromised Docker environments were then repurposed as launchpads for **DDoS (Distributed Denial of Service) attacks**, turning cloud-native misconfigurations into a scalable attack vector. While AWS Docker instances are **not exposed to the internet by default**, improper configurations enabled external access, allowing threat actors to infiltrate systems. The attack highlights the industrialization of cybercrime, where **DDoS-as-a-service** models—complete with APIs, dashboards, and user interfaces—are commoditized. Although the article does not specify direct financial or data losses, the exploitation of cloud infrastructure for large-scale DDoS operations poses **reputational risks**, **operational disruptions**, and potential **financial liabilities** for AWS customers whose instances were hijacked. The incident underscores the growing sophistication of cybercriminals in weaponizing misconfigured cloud services, with **AWS EC2** serving as a primary target in this campaign. While no customer data breaches were reported, the abuse of Docker APIs for malicious purposes could erode trust in AWS’s security posture, particularly among enterprises relying on containerized workloads.
TPRM report: https://www.rankiteo.com/company/amazon-web-services
"id": "ama4092640092325",
"linkid": "amazon-web-services",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'type': ['Cloud Service Providers',
'Organizations Using AWS EC2 with '
'Misconfigured Docker']}],
'attack_vector': ['Exposed Docker API',
'Misconfigured AWS EC2 Instances',
'Python Docker SDK'],
'description': 'Darktrace researchers discovered that the ShadowV2 threat '
'group is exploiting misconfigured, exposed Docker APIs on AWS '
'EC2 instances to launch DDoS attacks. The attackers use the '
'Python Docker SDK to interact with exposed Docker daemons, '
'building malicious containers directly on victim machines '
'rather than importing prebuilt images. This approach may '
'reduce forensic traces. The campaign highlights the '
'industrialization of cybercrime, with DDoS attacks being '
'treated as a business service by threat actors.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage for '
'Affected Organizations',
'Highlighting Cloud Security Gaps'],
'operational_impact': ['Potential Service Disruption from DDoS',
'Resource Hijacking for Attack '
'Infrastructure'],
'systems_affected': ['AWS EC2 Instances with Exposed Docker APIs',
'Victim Containers']},
'initial_access_broker': {'entry_point': ['Exposed Docker API on AWS EC2'],
'high_value_targets': ['AWS EC2 Instances with '
'Docker']},
'investigation_status': 'Ongoing (Darktrace Honeypots Active)',
'lessons_learned': ['Exposed Docker APIs on cloud instances are a significant '
'attack vector for DDoS campaigns.',
'Threat actors are industrializing cybercrime with '
'user-friendly tools (e.g., APIs, dashboards) for DDoS '
'attacks.',
'Misconfigurations in cloud-native environments (e.g., '
'AWS EC2) can serve as launchpads for broader attacks.',
'Building malicious containers on victim machines may '
'reduce forensic evidence compared to importing prebuilt '
'images.'],
'motivation': ['Financial Gain', 'Disruption', 'Cybercrime-as-a-Service'],
'post_incident_analysis': {'corrective_actions': ['Secure Docker APIs by '
'default, restricting '
'external access.',
'Enforce least-privilege '
'principles for cloud '
'instance configurations.',
'Deploy behavioral '
'detection for '
'containerized '
'environments.'],
'root_causes': ['Misconfigured Docker daemons '
'exposed to the internet.',
'Lack of access controls for '
'Docker APIs on cloud instances.',
'Default Docker settings not '
'hardened for production '
'environments.']},
'recommendations': ['Disable external access to Docker daemons unless '
'absolutely necessary.',
'Regularly audit cloud configurations (e.g., AWS EC2) for '
'exposed services.',
'Implement network segmentation to limit lateral movement '
'from compromised containers.',
'Use behavioral detection tools (e.g., Darktrace) to '
'identify anomalous container activity.',
'Monitor for unauthorized use of Docker SDK or container '
'deployment tools.'],
'references': [{'source': 'Darktrace Blog Post'},
{'source': 'Shane Barney, CISO at Keeper Security'}],
'response': {'enhanced_monitoring': ['Darktrace Honeypots for Detection'],
'remediation_measures': ['Securing Exposed Docker APIs',
'Disabling Unnecessary External Access '
'to Docker Daemons',
'Reviewing AWS EC2 Configurations'],
'third_party_assistance': ['Darktrace (Detection and Analysis)']},
'threat_actor': 'ShadowV2',
'title': 'ShadowV2 DDoS Campaign Exploiting Exposed Docker APIs on AWS EC2',
'type': ['DDoS Attack',
'Cloud Misconfiguration Exploitation',
'Unauthorized Container Deployment'],
'vulnerability_exploited': ['Misconfigured Docker Daemon (Exposed to '
'Internet)',
'Improper Access Controls on AWS EC2']}