Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware

guest · Mar 1, 2019

Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware
March 1, 2019
https://blog.trendmicro.com/trendla...sed-to-deliver-cryptocurrency-mining-malware/

[...] we’ve uncovered notable activities of undesired or unauthorized cryptocurrency miners being deployed as rogue containers using a community-contributed container image published on Docker Hub.
The activities we uncovered are also significant in that they don’t need to exploit vulnerabilities and don’t depend on any version of Docker. Identifying a misconfigured and thus exposed container image is all it could take for attackers to infect many exposed hosts.

Before the cryptocurrency miner is executed, it is renamed to nginx. Other versions of this script rename the miner into other valid services that can be found in Linux environments. This is done to avoid detection for when running processes are listed.

It is important to note that the Docker image (alpine-curl) is not malicious on its own. But as shown above, it is being abused to carry out a malicious functionality. Similar Docker images could also be abused to perform malicious activities. We’ve contacted and worked with Docker about this issue.
Click to expand...

guest · Mar 4, 2019

Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners
March 4, 2019
https://www.imperva.com/blog/hundreds-of-vulnerable-docker-hosts-exploited-by-cryptocurrency-miners/

According to Imperva research, exposed Docker remote API has already been taken advantage of by hundreds of attackers, including many using the compromised hosts to mine a lesser-known-albeit-rising cryptocurrency for their financial benefit.
In February, a new vulnerability (CVE-2019-5736) was discovered that allows you to gain host root access from a docker container. The combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host.

The possibilities for attackers after spawning a container on hacked Docker hosts are endless. Mining cryptocurrency is just one example.
Wrapping Up
In this post, we saw how dangerous exposing the Docker API publicly can be.

Exposing Docker ports can be useful, and may be required by third-party apps like ‘portainer’, a management UI for Docker.
We also saw how credentials stored as environment variables can be retrieved. It is very common and convenient, but far from being secure.
Click to expand...

guest · May 30, 2019

Xulu: Cryptojacking Leveraging Shodan, Tor, and Malicious Docker Container
May 28, 2019
https://www.alibabacloud.com/blog/x...dan-tor-and-malicious-docker-container_594869

Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker's remote API unauthorized Access vulnerability. We have named the botnet "Xulu" because it serves as username in the botnet's mining.
It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.
When digging into the Xulu botnet event, we noticed that containers with malicious "zoolu2/auto" docker images are created on compromised hosts.
Click to expand...

Trend Micro: Infected Cryptocurrency-Mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims

guest · Apr 3, 2020

Self-Propagating Malware Targets Thousands of Docker Ports Per Day
A Bitcoin-mining campaign using the Kinsing malware is spreading quickly thanks to cloud-container misconfigurations
April 3, 2020
https://threatpost.com/self-propagating-malware-docker-ports/154453/

Thousands of container-compromise attempts are being observed every day as part of the campaign, according to Gal Singer, a security researcher at AquaSec. The effort has been ongoing for months. However, since the beginning of the year, the number of daily attempts has far exceeded what was seen before, he said.

“We…believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor,” he wrote, in an analysis posted on Friday.
Kinsing’s Infection Routine
The attack pattern starts with the attackers identifying a misconfigured Docker API port that has been left open to the public internet. They then access that open port and the Docker instance connected to it, and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptominer.

The interesting aspect of the attack is the shell script used for self-propagation.
Click to expand...

The existing attack “stands out as yet another example of the growing threat to cloud-native environments,” Singer wrote.

“With deployments becoming larger and container use on the rise, attackers are upping their game and mounting more ambitious attacks, with an increasing level of sophistication.”
DevSecOps teams can take steps to protect against the Kinsing threat and others, starting with making sure their Docker containers are locked down.
Click to expand...

AquaSec: Threat Alert: Kinsing Malware Attacks Targeting Container Environments

Kinsing is a Linux agent, identified by Virus Total after we submitted it for analysis.
A quick look at the malware’s strings reveals that it is a Golang-based Linux agent.
Click to expand...

Minimalist · Jun 25, 2020

Docker Images Containing Cryptojacking Malware Distributed via Docker Hub

With Docker gaining popularity as a service to package and deploy software applications, malicious actors are taking advantage of the opportunity to target exposed API endpoints and craft malware-infested images to facilitate distributed denial-of-service (DDoS) attacks and mine cryptocurrencies.
Click to expand...

https://thehackernews.com/2020/06/cryptocurrency-docker-image.html

guest · Jul 16, 2020

Docker attackers devise clever technique to avoid detection
July 15, 2020
https://www.scmagazine.com/home/sec...s-devise-clever-technique-to-avoid-detection/

In what researchers say is a first, attackers are performing a new container attack technique in the wild, whereby they build their own malicious images on a targeted host instead of pulling preexisting ones from a public registry. This maneuver allows the adversaries to avoid static detection by scanners that are programmed to look for suspicious images.

The attack exploits misconfigured Docker API ports in order to infect victims with a resource-hijacking cryptominer, according to a new blog post from Aqua Security, whose researchers uncovered the scheme.

“This is yet another step in the super-fast evolution of attacks against cloud-native environments in just the past couple of years,” said says the post, from Assaf Morag, lead data analyst.
The technique also improves the persistency of the attack because the malicious image can’t be taken down if it’s not stored anywhere in the first place.
Click to expand...

Aqua Security: Threat Alert: Attacker Building Malicious Images Directly on Your Host

In this blog we reported about an adversary who used a new technique to attack a misconfigured Docker API. The image was built directly on the target host and executed a resource-hijacking attack by using a cryptominer.
In this case, preliminary threat intel on a malicious container image is useless because the image is not pulled from a remote source.

We believe that the best solution for these kinds of threats lies in an on-going Dynamic Threat Analysis scanning cadence. Dynamically scanning all your images in Docker Hub and on the organization's servers would shine a bright light on any hidden threats lurking in the cloud.
Click to expand...

guest · Jul 28, 2020

Undetectable Linux Malware Targeting Docker Servers With Exposed APIs
July 28, 2020
https://thehackernews.com/2020/07/docker-linux-malware.html

Cybersecurity researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud.

According to the latest research Intezer shared with The Hacker News, an ongoing Ngrok mining botnet campaign scanning the Internet for misconfigured Docker API endpoints and has already infected many vulnerable servers with new malware.
Dubbed 'Doki,' the new multi-threaded malware leverages "an undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address despite samples being publicly available in VirusTotal."

"The malware utilizes the DynDNS service and a unique Domain Generation Algorithm (DGA) based on the Dogecoin cryptocurrency blockchain in order to find the domain of its C2 in real time."
Click to expand...

Users and organizations who run Docker instances are advised not to expose docker APIs to the Internet, but if you still need to, ensure that it is reachable only from a trusted network or VPN, and only to trusted users to control your Docker daemon.
Click to expand...

Intezer: Watch Your Containers: Doki Infecting Docker Servers in the Cloud

Ngrok Mining Botnet is an active campaign targeting exposed Docker servers in AWS, Azure, and other cloud platforms. It has been active for at least two years.

Anyone with publicly open Docker API access is at high risk to be hacked within the span of just a few hours. This is probable due to the hackers’ automated and continuous internet-wide scanning for vulnerable victims.

The new malware, dubbed “Doki”, hasn’t been detected by any of the 60 malware detection engines in VirusTotal since it was first analyzed on January 14, 2020.

Click to expand...

guest · Dec 1, 2020

Misconfigured Docker Servers Under Attack by Xanthe Malware
The never-before-seen Xanthe cryptomining botnet has been targeting misconfigured Docker APIs
December 1, 2020
https://threatpost.com/misconfigured-docker-servers-xanthe-malware/161732/

Researchers have discovered a Monero cryptomining botnet they call Xanthe, which has been exploiting incorrectly configured Docker API installations in order to infect Linux systems.

Xanthe was first discovered in a campaign that employed a multi-modular botnet, as well as a payload that is a variant of the XMRig Monero cryptocurrency miner. Researchers said that the malware utilizes various methods to spread across the network – including harvesting client-side certificates for spreading to known hosts via Secure Shell (SSH).

“We believe this is the first time anyone’s documented Xanthe’s operations,” said researchers with Cisco Talos in a Tuesday analysis. “The actor is actively maintaining all the modules and has been active since March this year.”
Click to expand...

Misconfigured Docker servers are another way that Xanthe spreads. Researchers said that Docker installations can be easily misconfigured and the Docker daemon exposed to external networks with a minimal level of security.
Click to expand...

Cisco Talos: Xanthe - Docker aware miner

Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats.

The actor employs various methods to spread across the network, like harvesting client-side certificates for spreading to known hosts using ssh, or spreading to systems with an incorrectly configured Docker API.
Click to expand...

guest · Jun 22, 2021

50% of misconfigured containers hit by botnets in under an hour
June 21, 2021
https://www.scmagazine.com/data-lea...d-containers-hit-by-botnets-in-under-an-hour/

Aqua Security on Monday reported that data it collected from honeypots protecting containers over a six-month period revealed that 50% of misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.

According to the research, it takes five hours on average for the adversaries’ bots to scan a new honeypot. The fastest scan occurred after a few minutes, while the longest gap was 24 hours.

“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” said Morag.
“Although cryptocurrency mining is still the lowest hanging fruit and thus more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft. Focusing on misconfigurations is important, but companies also need a more holistic approach that includes a focus on supply chain attacks.”
Click to expand...

The results of this report were contributed as input into the development of the MITRE ATT&CK Container Framework.
In fact, Adam Pennington, MITRE ATT&CK director, said container security has been on MITRE’s radar for a while now, but it was only fairly recently that the company started seeing enough reported activity to start mapping this area and add it to ATT&CK.
Click to expand...

guest · Nov 9, 2021

TeamTNT hackers target your poorly configured Docker servers
November 9, 2021
https://www.bleepingcomputer.com/ne...target-your-poorly-configured-docker-servers/

Poorly configured Docker servers and being actively targeted by the TeamTNT hacking group in an ongoing campaign started last month.

According to a report by researchers at TrendMicro, the actors have three distinct goals: to install Monero cryptominers, scan for other vulnerable Internet-exposed Docker instances, and perform container-to-host escapes to access the main network.
As illustrated in an attack workflow, the attack starts with creating a container on the vulnerable host using an exposed Docker REST API.
Click to expand...

TeamTNT then uses compromised, or actor-controlled Docker Hub accounts to host malicious images and deploy them on a targeted host.
Next, the dropped container executes cronjobs and fetches various post-exploitation and lateral movement tools, including container escaping scripts, credential stealers, and cryptocurrency miners.

The container image that is created is based on the AlpineOS system and is executed with flags that allow root-level permissions on the underlying host.
Click to expand...

Previous campaign laid the groundwork
TrendMicro reports that this campaign also uses compromised Docker Hub accounts controlled by TeamTNT to drop malicious Docker images.

The actors were spotted collecting Docker Hub credentials in a previous campaign analyzed by TrendMicro in July when credentials stealers were deployed in attacks.

"Our July 2021 research into TeamTNT showed that the group previously used credential stealers that would rake in credentials from configuration files. This could be how TeamTNT gained the information it used for the compromised sites in this attack," explains TrendMicro's research published today.
Click to expand...

guest · Dec 29, 2021

Cryptomining Attack Exploits Docker API Misconfiguration Since 2019
December 29, 2021

Hackers behind a cryptomining campaign have managed to avoid detection since 2019. The attacks exploited misconfigured Docker APIs that allowed them to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency, researchers said.

The attack technique is script-based and dubbed “Autom”, because it exploits the file “autom.sh”. Attackers have consistently abused the API misconfiguration during the campaign’s active period, however the evasion tactics have varied – allowing adversaries to fly under the radar, wrote Aquasec’s research arm Team Nautilus in a report published Wednesday.
Click to expand...

Attackers hit honeypots set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021 before researchers began writing up their report in October, researchers said. Researchers also report attacks on honeypots decreased significantly this year, while overall targeting of poorly configured Docker APIs did not, according to a Shodan search, researchers noted.

“This decrease in attacks on our honeypots might imply that the attackers identified them and therefore reduced the volume of their attacks in 2021,” they wrote.
Click to expand...

Team Nautilus first observed the attack in 2019 when a malicious command was executed during the run of a vanilla image alpine:latest, which downloaded the autom.sh shell script, they said in the report. Adversaries commonly use vanilla images along with malicious commands to perform attacks because most organizations trust these images and allow their use, researchers explained.

“The Autom campaign illustrates that attackers are becoming more sophisticated, continually improving their techniques and their ability to avoid detection by security solutions,” they observed.
Click to expand...

Aquasec: Threat Alert: Evolving Attack Techniques of Autom Cryptomining Campaign

Over the past three years, we at Team Nautilus have been tracking an ongoing cryptomining campaign attacking our honeypots. It got the name Autom due to a shell script that was downloaded and that initiated the attack. Through the years, the campaign has evolved, demonstrating new techniques to hide the attack. In this blog, we examine the campaign, its techniques, and how organizations can protect against similar threats.
Click to expand...

Log in or Sign up

Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Exposed Docker Control API and Community Image Abused to Deliver Cryptocurrency-Mining Malware

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches