Cyber-criminals exploit misconfigured container to deliver cryptominer

News by Robert Abel

Threat actors have exploited misconfigured Docker containers to deliver cryptomining malware.

Threat actors have exploited misconfigured Docker containers to deliver cryptomining malware.

"Docker implements virtualisation on the operating-system (OS) level — also known as containerisation," researchers said in a 25 October blog post. "The Docker APIs, in particular, allow remote users to control Docker images like a local Docker client does. Opening the API port for external access is not recommended, as it can allow hackers to abuse this misconfiguration for malicious activities."

The attacks weren’t the result of the Docker engine being compromised or problems within Docker’s enterprise platform but instead were the result of misconfiguration set up at the administrator level.

While researchers noted misconfigurations aren’t new, it can be a perennial challenge for organisations since many of them, especially in China, still have their Docker hosts misconfigured. Researchers also noted misconfigured Docker hosts in the US, France, Germany, Singapore, Netherlands, United Kingdom, Japan, India, and Ireland with the majority of them running Linux OS.

In addition more than half of the exposed hosts were running version 18.06.1-ce, which is a relatively recent Docker release/version, although it was also noted that there were misconfigurations across different versions as well.

The attackers often exploited the misconfigurations to create Docker containers through exposed API ports and then installing a wget package using system package manager, using wget to download an auto-deployment script, converting the script from DOS to Unix format, setting the executable permissions for the script, and running the script.

Docker API isn’t new and researchers noted previous instances in which similar misconfigurations resulted in exploitation such as in April 2017 when attacker eployed an additional SSH key on the compromised system and installed a distributed-denial-of-service (DDoS) bot along with other malware to ensure that the deployed bot would automatically restart on startup.

In order to prevent similar attacks researchers recommend organisations: harden their security posture; ensure that container images are authenticated, signed, and from a trusted registry; enforce the principle of least privilege; properly configure how much resources containers are allowed to use; and enable Docker’s built-in security features to help defend against threats.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews