Adversaries looking for an easy way to mine for cryptocurrency are actively targeting publicly exposed Docker services. They use a malicious script capable to scan the network in search of vulnerable hosts and compromise them.
The point of entry is TCP port 2375 or 2376, the default for reaching the Docker service remotely via REST management APIs, which allow creating, starting and stopping containers. Unless configured otherwise, both ports provide unencrypted and unauthenticated communication.
Docker containers are highly popular because they allow virtualization at the operating system level. This enables running applications in a lighter virtual environment, complete with all the dependencies they need.
Researchers at Juniper Networks discovered that cybercriminals are currently taking advantage of misconfigured Docker services to add their own containers that run a Monero mining script.
The infection spreads automatically via scripts and utilities that are already on the target system, a tactic known as 'living off the land.' Among them are Docker, wget, cURL, Bash, iproute2, MASSCAN, apt-get, yum, up2date, pacman, dpkg-query, and systemd.
According to a report Juniper Networks shared with BleepingComputer, once the attacker reaches a vulnerable Docker host they start a container and run commands to download and launch 'auto.sh,' a script that helps extend the operation. It also checks the system for specific packages and downloads any that are missing, in order to continue proliferation to other hosts.
'auto.sh' is also responsible for starting the Monero mining job by executing the MoneroOcean's mining script. The miner is freely available on GitHub, but the perpetrator(s) download a variant hosted on Pastebin.
Jumping to different hosts is possible after scanning the network subnets connected to the infected hosts; the IP addresses of misconfigured Docker daemons are stored in a text file, processed by additional scripts called 'test.sh' and ''test3.sh;' their purpose is to loop through each IP address on the list and connect to the remote hosts using Docker's client tool.
All these scripts are hosted on a server that was up and running at the time of writing. A different coin mining utility named 'xm' is also stored on the server; it is flagged as malicious by 24 antivirus engines on VirusTotal.
This is not the first time security researchers see auto.sh used for cryptojacking. In mid-October, BleepingComputer reported that Trend Micro spotted an attacker with the same MO using a script with the same name.
Reaching Docker over the network safely is easily achieved by running communication over TLS. This is possible when the 'tlsverify' flag is enabled and defining a trusted certificate for the 'tlscacert' flag.
Under this setup, the Docker daemon accepts only connections authenticated with a trusted certificate. When in client mode, Docker connects only to servers presenting a trusted certificate.
Combined with the power of cloud computing, services exposed to the public internet are a gift to threat actors of any kind.
Cryptocurrency mining is just one of the risks here since cybercriminals can use disposable containers for all sorts of jobs, from launching distributed denial-of-service attacks to storing and spreading malware.