For several months, an attack group has been systematically scanning for and trying to compromise Docker Daemon API ports that are misconfigured, and if successful, installing shell scripts and other tools to move laterally around networks and install cryptomining malware.
The attacks have been going on since at least November and researchers at Aqua Security have been tracking them all the while. There have been peaks and valleys in the attack volume over time, but recently the number of attacks has increased quite a bit in the last month. The attack process begins with the attackers identifying a Docker API port that’s exposed and then attempting to start a Ubuntu container, which then contacts a remote server and downloads a shell script. That script then downloads and runs some other scripts, one of which is used to maintain persistence.
The shell script also performs a number of other actions, including disabling security services, killing other pieces of malware, and downloading a piece of malware identified as Kinsing, which is a Linux agent. Once the malware is installed, it tries to connect to several different servers, one of which houses yet another shell script.
“The spre.sh shell script that the malware downloads is used to laterally spread the malware across the container network. In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets,” Gal Singer, a researcher at Aqua Security, said in a post detailing the attacks.
“Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network.”
The attackers then use an SSH command to connect to other machines inside the network and move around. The end goal of the intrusion is to install a Bitcoin miner, which is something of a quixotic move at this point. Attackers have been using illicit access to networks and cloud environments to run cryptominers for several years, but it’s often something like Monero or some obscure cryptocurrency rather than Bitcoin, which is much more difficult to mine now. Cloud environments are common targets for this type of attack as they typically have huge amounts of resources that can be harnessed for whatever the attacker’s purpose is.
“This attack stands out as yet another example of the growing threat to cloud native environments. With deployments becoming larger and container use on the rise, attackers are upping their game and mounting more ambitious attacks, with an increasing level of sophistication,” Singer said.