Exposed Docker APIs continue to be used by attackers to create new containers that perform cryptojacking.
Earlier this year we reported on attackers utilizing insecure Docker and Kubernetes systems to deploy containers that were used to mine coins. For those who are not familiar with containers, they are packages that contain an application and all the dependencies that are required to run it. These packages can then be deployed as containers to Docker or Kubernetes systems as needed.
Docker containers are deployed on a platform called Docker Engine, where they will run in the background along with other containers deployed to the system. If Docker Engine is not properly secured, attackers can remotely utilize the Docker Engine API to deploy containers of their own creation and start them on the insecure system.
Trend Micro has recently spotted an attacker that is scanning for exposed Docker Engine APIs and utilizing them to deploy containers that download and execute a coin miner.
When the container is deployed and activated, it will launch an auto.sh script that will download a Monero miner and configure it to launch automatically. The script will also download port scanning software, which will scan for other vulnerable Docker Engine instances on port 2375 and 2376 and attempt to further spread to them.
Scan all networks seen from the host, with a scan rate of 50,000 packets per second, for open port 2375 and 2376; the result is saved in local.txt (anonymized/defanged):
masscan “$@” -p2375,2376 –rate=50000 -oG local.txt;
Conduct lateral movement by infecting or abusing more hosts found in previous reconnaissance:
sudo sed -i ‘s/^Host: \([0-9.]*\).*Ports: \([0-9]*\).*$/\1:\2/g’ local.txt;
sudo sh test3.sh local.txt;
With this method, a large amount of Docker Engine containers can be amassed that mine coins for the attacker.
Docker Engine API abuse is not new, but it continues to be a problem because administrators do not properly lock down their systems. To prevent attackers from exploiting insecure Docker Engine implementations, Trend Micro suggests administrators utilize the following security practices: