Exposed Docker APIs continue to be used by attackers to create new containers that perform cryptojacking.

Earlier this year we reported on attackers utilizing insecure Docker and Kubernetes systems to deploy containers that were used to mine coins. For those who are not familiar with containers, they are packages that contain an application and all the dependencies that are required to run it. These packages can then be deployed as containers to Docker or Kubernetes systems as needed.

Docker containers are deployed on a platform called Docker Engine, where they will run in the background along with other containers deployed to the system. If Docker Engine is not properly secured, attackers can remotely utilize the Docker Engine API to deploy containers of their own creation and start them on the insecure system.

Trend Micro has recently spotted an attacker that is scanning for exposed Docker Engine APIs and utilizing them to deploy containers that download and execute a coin miner. 

Container Creation
Container Creation

When the container is deployed and activated, it will launch an script that will download a Monero miner and configure it to launch automatically. The script will also download port scanning software, which will scan for other vulnerable Docker Engine instances on port 2375 and 2376 and attempt to further spread to them.

Scan all networks seen from the host, with a scan rate of 50,000 packets per second, for open port 2375 and 2376; the result is saved in local.txt (anonymized/defanged):
masscan “$@” -p2375,2376 –rate=50000 -oG local.txt; 

Conduct lateral movement by infecting or abusing more hosts found in previous reconnaissance:
sudo sed -i ‘s/^Host: \([0-9.]*\).*Ports: \([0-9]*\).*$/\1:\2/g’ local.txt;
sudo sh local.txt;

With this method, a large amount of Docker Engine containers can be amassed that mine coins for the attacker. 

Hardening Docker Engine servers

Docker Engine API abuse is not new, but it continues to be a problem because administrators do not properly lock down their systems. To prevent attackers from exploiting insecure Docker Engine implementations, Trend Micro suggests administrators utilize the following security practices:

  • Harden the security posture. The Center for Internet Security (CIS) has a reference that can help system administrators and security teams establish a benchmark to secure their Docker engine.
  • Ensure that container images are authenticated, signed, and from a trusted registry (i.e., Docker Trusted Registry). Employing automated image scanning tools helps improve development cycles.
  • Enforce the principle of least privilege. For instance, restrict access to the daemon and encrypt the communication protocols it uses to connect to the network. Docker has guidelines on how to protect the daemon socket.
  • Properly configure how much resources containers are allowed to use (control groups and namespaces).
  • Enable Docker’s built-in security features to help defend against threats. Docker has several guidelines on how to securely configure Docker-based applications.

Related Articles:

Misconfigured Docker Services Actively Exploited in Cryptojacking Operation

Make-A-Wish Website Compromised for Cryptojacking Operation

Linux CryptoMiners Are Now Using Rootkits to Stay Hidden

CoinMiners Use New Tricks to Impersonate Adobe Flash Installers

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones