Exposed Docker APIs continue to be used by attackers to create new containers that perform cryptojacking. Trend Micro has spotted an attacker that is scanning for exposed Docker Engine APIs and utilizing them to deploy containers that download and execute a coin miner. With this method, a large amount of Docker Engine containers can be amassed that mine coins for the attacker. To prevent attackers from exploiting insecure Docker Engine implementations, administrators should use the following security practices: Administrators should lock down their systems and install hardening Docker Engine servers.
Source: https://www.bleepingcomputer.com/news/security/exposed-docker-apis-continue-to-be-used-for-cryptojacking/