Cybercriminals are taking advantage of misconfigured Docker services to add their own containers that run a Monero mining script. They use a malicious script capable to scan the network in search of vulnerable hosts and compromise them. Once the attacker reaches a vulnerable Docker host they start a container and run commands to download and launch ‘auto.sh,’ a script that helps extend the operation. The infection spreads automatically via scripts and utilities that are already on the target system, a tactic known as ‘living off the land’
Source: https://www.bleepingcomputer.com/news/security/misconfigured-docker-services-actively-exploited-in-cryptojacking-operation/