Some attackers are scanning the Internet for poorly configured Docker implementations that leave the platform’s API ports open and are then using the access to install malicious cryptomining software on compromised hosts.
The attacks are a new twist on a relatively recent phenomenon of attackers looking for and abusing unauthenticated Docker API access. Docker is a popular containerization software platform, and researchers at Trend Micro have discovered the recent campaign in which attackers are abusing the API in Docker Community versions. The researchers’ data shows that the campaign began ramping up in late September and spiked in the first week of October. The attackers have gone after targets in many countries, including China, the United States, France, Germany, and the United Kingdom.
“The Docker engine itself isn’t compromised or abused, and Docker’s enterprise platform is not affected. We found these rare instances of abuse on Docker Community versions. In fact, Docker’s technology has security features that its users can enable and configure to protect containers and workloads,” Hubert Lin, Fyodor Yarochkin, and Alfredo Oliveira, of Trend Micro wrote in an analysis of the attacks.
“In our research, the exposure of the Docker API ports was a result of misconfiguration on the user’s part, as we found that the misconfigurations were manually set up at the administrator level. Indeed, exposure to threats via misconfigurations isn’t new, but it can be a perennial challenge for organizations. In fact, our Shodan search revealed that many still have their Docker hosts misconfigured, especially in China.”
"Exposure to threats via misconfigurations isn’t new, but it can be a perennial challenge for organizations."
This campaign starts with the attackers scanning for TCP ports 2375 and 2376, which are used by Docker’s engine. If they find an implementation that has the ports open, they attempt to connect to the host and then create a Docker container. The attackers then download and install a script that deploys the software that mines the Monero cryptocurrency. The script also takes a number of other actions, including reconfiguring the SSH service in Docker and downloading some other scripts that provide persistence on the compromised host.
The script also will scan any networks that are reachable from the target machine, looking for other hosts with the exposed ports, trying to move laterally across the networks.
Cryptomining has emerged as one of the more popular ways for attackers to monetize the machines that they compromise. Rather than invest in their own mining rigs, criminals can harness the computing power of their victims’ machines to try to mine their cryptocurrency of choice. In addition to campaigns like the one the Trend Micro researchers uncovered, there have been many others in which attackers use other techniques to hijack users’ browsers to mine cryptocurrency. Those attacks typically use drive-by downloads or similar techniques.