A cybercrime group known as TeamTNT is using a crypto-mining worm to steal plaintext AWS credentials and config files from compromised Docker and Kubernetes systems. This is the first-ever worm that comes with AWS credential theft functionality on top of run-of-the-mill cryptomining modules. Cado Security recommends deleting files storing AWS credentials in plaintext, blocking access to Docker APIs, and monitoring connections made to mining pools using the Stratum mining protocol. The worm will also deploy an XMRig CPU miner that starts mining for Monero (XMR) cryptocurrency.
Source: https://www.bleepingcomputer.com/news/security/cryptojacking-worm-steals-aws-credentials-from-docker-systems/