A Hacking Group is Hijacking Docker Systems with Exposed API Endpoints (Nov 26, 2019)
Chief Research Officer (CRO) Troy Mursch of Bad Packets LLC, discovered operations being carried out against docker containers. It was noted that a threat group were performing mass scanning on Docker platforms that have exposed API endpoints in the internet. The threat actors are searching for these Docket containers to deploy a cryptocurrency miner on the users Docker instance and generate profit for the group. At this point, it has been noted that the actors behind the attack are scanning in excess of 59,000 IP networks for exposed Docker entities. Once the group has identified an exposed instance, they will use the API endpoint to run a command which will install a sample of the cryptocurrency miner XMRIG. As precautions, the malware used in the campaigns has self-defense procedures in place uninstall monitoring agents and kill processes downloaded from the groups C2. Docker containers became targeted in 2019 due to the discovery of CVE-2019-5736, a zero-day exploit which would allow remote users root access to Docker containers.
Recommendation: To ensure an organisation does not become a victim of these resource hijacking attacks, they are advised to make certain that endpoints are secure with the latest patches. It is also suggested that users be given standard user accounts and not have unnecessary escalated privileges as well as use endpoint antimalware tools to protect the docker containers. Organisations should also ensure that applications are appropriately configured to ensure that they cannot be abused by threat actors and in this case, prevent threat actors from using docker containers for cryptomining.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.