Exposed Docker APIs Abused DDoS, Cryptojacking Botnet Malware (Jun 14, 2019)
Exposed Docker containers are being used to drop the “Dofloo” Trojan, malware used to create large scale botnets. First detected in 2014, the malware enables threat actors to create botnets to launch Denial-of-Service (DDoS) attacks and spread cryptocurrency miners. Using port 2375, the threat actors search for vulnerable Dockers, containers that have been misconfigured to allow external access. All vulnerable containers then receive the “Dofloo” malware, enabling the ability for DDoS attacks to be carried out. The trojan also collects system information for later decisions to be made on.
Recommendation: Administrators need to be aware of securing Docker containers correctly, using correct security controls that will only enable trusted sources to access their Docker API. The official Docker documentation outlines how to properly secure Docker.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.