The Information Highway

The Information Highway
Font size: +
  Print
3 minutes reading time (659 words)

Exploited cryptojacking campaign impacting Docker

53 Hits

Threat update

 A new cryptojacking campaign exploiting the Docker Engine API has been discovered. The large-scale hacking campaign is targeting Docker Swarm, Kubernetes, and Secure Socket Shell (SSH) servers. Continue reading this Cybersecurity Threat Advisory to learn how to mitigate your risk from these vulnerabilities.

Technical Detail and Additional Info

What is the threat?

The attackers start by scanning the internet for exposed and unauthenticated Docker API endpoints, using tools such as Masscan and ZGrab to locate vulnerable Docker environments. After gaining access, they deploy an Alpine container and download a malicious shell script from a remote server. This script is used to deploy the XMRig cryptocurrency miner, conceal it from process monitoring tools, and spread the attack to other containers through lateral movement.

Once a Docker container is compromised, the attack quickly expands beyond the initial breach. The attackers deploy additional scripts that allow them to move laterally throughout the network, targeting Docker, Kubernetes, and SSH endpoints. These scripts scan local networks for open Docker ports and exploit other hosts running Docker Swarm or Kubernetes orchestration systems.

Why is it noteworthy?

A crucial aspect of the attack includes its ability to broadcast like a worm. The attackers can create new containers on any host with vulnerable Docker endpoints by utilizing a Docker image hosted on Docker Hub. This image executes another script that further spreads the infection, integrating the compromised systems into a larger botnet.

Threat actors leveraged Docker Swarm's orchestration features for command-and-control (C2) operations as well. You can integrate SSH servers with these tools to manage and secure remote access to the nodes within your clusters. This malware campaign focuses on exploiting Docker and Kubernetes environments, with vulnerabilities in Docker API endpoints serving as the initial access vector for attacks.

What is the exposure or risk?

The most concerning aspect of this attack is the exploitation of Docker Swarm to organize the compromised systems. Docker Swarm is a native orchestration tool that enables multiple Docker engines to function as a unified virtual system. The attackers take advantage of this capability to establish a botnet, allowing them to centrally control all compromised Docker instances. This centralization facilitates large-scale, coordinated crypto-mining operations, generating significant revenue with minimal effort.

Additionally, the attack script forces compromised hosts to detach from any legitimate Docker Swarm they may be part of and join the attackers' own Swarm. This further extends the threat actor's control, transforming the compromised hosts into a botnet that can be exploited for cryptojacking or other purposes, such as distributed denial-of-service (DDoS) attacks.

In addition to crypto mining, the attackers establish long-term access to the compromised systems by deploying a series of scripts, including ar.sh, TDGINIT.sh, and pdflushs.sh. These scripts modify firewall rules, clear logs, and create a persistent backdoor via SSH. By adding their SSH keys to the root user's authorized keys file, the attackers ensure they can maintain access to the compromised hosts, even after reboots or security patches are applied.

What are the recommendations?

 LBT Technology Group recommends the following actions to mitigate your risk:

  • Authenticate all Docker API endpoints and make sure they are not exposed to the internet.
  • Implement strict firewall rules to limit access only to trusted IP addresses.
  • Configure Docker and Kubernetes environments to use role-based access control (RBAC), ensuring that only authorized users and services have access to critical functions.
  • Monitor Docker and Kubernetes logs regularly for signs of unusual activity, such as unexpected container creation or the presence of unfamiliar scripts.
  • Apply the latest security patches to all Docker, Kubernetes, and SSH systems.
  • Scan for vulnerabilities regularly.
  • Use key-based authentication for SSH and disable password-based logins.
  • Audit SSH keys and authorized users regularly to prevent unauthorized access.
  • Use intrusion detection systems (IDS) solutions to detect and block suspicious traffic.

References

 For more in-depth information about the recommendations, please visit the following links:


If you have any questions, please contact LBT's Sales Engineer.

0
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
move block ​ cryptojacking campaign Docker Engine API Docker Swarm
Recently patched CUPS flaw can be used to amplify ...
Over 4,000 Adobe Commerce, Magento shops hacked in...

About the author

LBT Technology Group, LLC.

LBT Technology Group, LLC.

As we navigate our ever-evolving cyber society, LBT Technology Group believes providing comprehensive IT services to others is essential. As a Managed IT Services Provider (MSP), we are positioned to eliminate your pain points by optimizing your technology, mitigating your cyber security risk footprint, and improving your cyber resilence. The focus we place on reducing the presistent cyber security risks to the confidentiality, integrity, and availability of your information systems and our proficiency in restoring IT services in the event of a cyber attack or technology outage separates us from our competitors--WE SIMPLIFY YOUR IT EQUATION.
Author's recent posts
More posts from author

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Sunday, 13 October 2024

Captcha Image