Docker containers are becoming more and more popular in organizations IT environments because they allow virtualization at the operating system level. Currently, the most common OS for Docker hosting is Linux OS, due to special features that best feat to Docker's need from its host.
A new infection was found that hunts for misconfigured publicly exposed Docker services. The virus infects the services with containers that run Monero miners.
RunC vulnerability from a host's hardening point of view
Entry point:
Docker services use REST API to enable its management tools to perform actions such as creating new containers and starting/stopping them. Default configurations only allow Unix socket to access Docker's REST APIs. In order to enable remote access to the REST API, Docker daemon needs to be configured to listen on TCP ports. The ports usually listened by Docker are 2375 and 2376 which
provide unencrypted and unauthenticated access to the Docker REST API by default.
Docker APIs allow remote users to control the Docker images in the same fashion a local user would. So eventually when opening the API port for external access using the unprotected PORT, hackers might abuse it for malicious activities.
Misconfigurations in a manually set up at the administrator level are an eternal challenge for organizations.
Research
revealed that many organizations still had their Docker hosts misconfigured. Furthermore, at the end of 2018 numbers were still very high in countries such as the U.S, France, Germany, Singapore, Netherlands, United Kingdom, Japan, India, and Ireland. The majority of the exposed organizations run on Linux OS, using relatively recent Docker released/version.
Spreading method:
The infection spreads using misconfigured Docker services with TCP ports 2375 and 2376 enabled. Every new infection continues to spread to other hosts by scanning for more misconfigured Docker hosts on the network. The infection spreads automatically using scripts and utilities on the targeted system- a 'living off the land' spreading tactic. Among the scripts, which are being utilized are Docker, wget, cURL, Bash, iproute2, MASSCAN, apt-get, yum, up2date, Pacman, dpkg-query, and systemd.
Once the attacker reaches a vulnerable Docker host OS, they start a container and use it to download and lunch 'auto.sh.' 'auto.sh' is a script responsible for both extending the operation and starting the Monero mining job, by executing the MoneroOcean's mining script.
In order to spread to other hosts, the 'auto.sh.' the script also downloads any package, which is missing for it to continue proliferating. 'test.sh' and 'test3.sh' scripts are used to process the text file that contains all IP addresses of the misconfigured Docker daemons. The scripts loop through each IP address on the list and connect to their remote hosting, using Docker's client tool.
'auto.sh.' the script also downloads any package, which is missing for it to continue proliferating
What should you do?
Reaching remotely through the network to Docker in a more secure fashion can be easily achieved by running communication over TLS protocol. When using TLS, the Docker daemon accepts only authenticated connections with a trusted certificate. In order to enable TLS, make sure that 'tlsverify' flag is enabled and defining a trusted certificate for the 'tlscacert' flag.
Misconfigurations leading services to be exposed to the public internet are a gift to hackers of any kind. Cryptocurrency mining is only one of the risks organizations face when using containers in their IT system.
Linux OS is believed to be more secure than other OS, but it is probably because up until now it was a less strategic target for attackers. As Linux usage spreads, most likely due to the virtualized technologies that find it more suitable to their needs, attacks will raise. Security professionals know there is no OS more secure than the other.
CHS for Linux by CalCom will solve this challenge for you by automating your hardening process. With CHS' learning ability, hardening actions will be conducted without the need to invest in lab testing and without causing any outages to production. Also, configurations will be updated according to best practices and recommendations and will be automatically implemented on production environment in one simple action. Using CHS for Linux will give you the ability to get updates regarding your state of compliance constantly.
References:
https://www.theregister.co.uk/2017/07/28/malware_docker_containers/
https://forums.juniper.net/t5/Threat-Research/Container-Malware-Miners-Go-Docker-Hunting-In-The-Cloud/ba-p/400587
https://blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/
https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-docker-control-api-and-community-image-abused-to-deliver-cryptocurrency-mining-malware/
https://www.bleepingcomputer.com/news/security/misconfigured-docker-services-actively-exploited-in-cryptojacking-operation/
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
|
Cookie
|
Duration
|
Description
|
|
cookielawinfo-checbox-analytics
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
|
|
cookielawinfo-checbox-functional
|
11 months
|
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
|
|
cookielawinfo-checbox-others
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
|
|
cookielawinfo-checkbox-necessary
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
|
|
cookielawinfo-checkbox-performance
|
11 months
|
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
|
|
PHPSESSID
|
session
|
This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
|
|
viewed_cookie_policy
|
11 months
|
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
|
|
_GRECAPTCHA
|
5 months 27 days
|
This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
|
|
__cfduid
|
1 month
|
The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
|
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
|
Cookie
|
Duration
|
Description
|
|
bcookie
|
2 years
|
This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
|
|
lang
|
session
|
This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
|
|
lidc
|
1 day
|
This cookie is set by LinkedIn and used for routing.
|
|
__stidv
|
1 year
|
This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.
|
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
|
Cookie
|
Duration
|
Description
|
|
YSC
|
session
|
This cookies is set by Youtube and is used to track the views of embedded videos.
|
|
_gat
|
1 minute
|
This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
|
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
|
Cookie
|
Duration
|
Description
|
|
_ga
|
2 years
|
This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
|
|
_gid
|
1 day
|
This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
|
|
__stid
|
1 year
|
The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
|
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
|
Cookie
|
Duration
|
Description
|
|
bscookie
|
2 years
|
This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
|
|
IDE
|
1 year 24 days
|
Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
|
|
test_cookie
|
15 minutes
|
This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
|
|
VISITOR_INFO1_LIVE
|
5 months 27 days
|
This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
|
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
|
Cookie
|
Duration
|
Description
|
|
AnalyticsSyncHistory
|
1 month
|
No description
|
|
CONSENT
|
16 years 8 months 26 days 14 hours
|
No description
|
|
drift_campaign_refresh
|
30 minutes
|
No description
|
|
fpestid
|
1 year
|
No description
|
|
st_samesite
|
session
|
No description
|
|
UserMatchHistory
|
1 month
|
Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
|
