Infected Cryptocurrency-mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims (May 30, 2019)
Trend Micro researchers have identified o Docker containers with exposed APIs that are being used to host threats. Using the internet-scanning tool, Shodan, a script is created to search for hosts with exposed APIs, and once one is found Docker commands are used to create a container for malicious code. A coin-mining binary for Monero cryptocurrency is then called with scripts looking for new hosts to infect. Each host is added to an IP list that Command and Control (C2) servers will iterate through when looking for a new host, looping back to the beginning to begin the process again.
Recommendation: Containers and APIs should always been properly configured to minimize exploitative attacks, by ensuring they are only accessible by internal networks only and trusted sources. Docker recommends using official or certified images to ensure trusted content only is run in the environment, Docker also has official guidelines for users to strengthen their security. Docker containers should not be run with root privileges, and should only be ran as application users.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.