Over 2,000 Docker hosts have been infected by a worm that discreetly uses them to mine the Monero cryptocurrency. According to the Palo Alto Unit 42 researchers who discovered the malware variant, the worm searched for and infected exposed Docker Engines to spread the worm to. It then queried its command-and-control (C&C) server to look for more vulnerable hosts, choosing at random from among the possible targets.
The threat actors chose unsecure Docker hosts that lacked authentication measures as the main target to deploy and spread the worm. Once a suitable host is found, the attacker then uses remote commands to download a malicious image (pocosow/centos:7.6.1810) that comes with a tool that allows it to communicate with other Docker hosts.
The malicious container uses an entry point script (/var/sbin/bash) that downloads the following shell scripts from the C&C server, which it then executes.
Used to send the amount of available CPUs on the compromised host to the C&C server.
Used to download a file containing the list of hosts with unsecured Docker API endpoints. The script then chooses one of them and uses the communication tool to remotely retrieve and deploy the malicious container
Used to pick one of the vulnerable hosts from the IP file at random, after which it stops the cryptocurrency-mining container and other running XMRig-based containers,
Used to deploy and run the cryptojacking container on the target
The process is periodically repeated on the target, with the last known refresh interval set at 100 seconds.
According to Palo Alto, the malicious image has been downloaded more than 10,000 times, while the worm has been downloaded over 6,500 times at the time of the publication of their blog post.
Recommendations and solutions
With container adoption rising, threat actors are continuously devising new ways of using the technology for malicious purposes. Organizations that make use of containers should never leave them unsecured, since they can be used, not only as entry points for an attack, but also to spread malware to other hosts.
To help prevent security incidents involving container technology from occurring, we recommend the following best practices:
Containers should be configured so that access is granted only to trusted sources, which includes the internal network. This includes implementing proper authentication procedures for the containers themselves.
Security audits should be performed at regular intervals to check for any suspicious containers and images.
Docker itself provides guidelines on how users can create a stronger security profile for their container ecosystem.
In addition, organizations can also consider the following Trend Micro solutions that add protection for containers: Deep Security and Deep Security Smart Check scan container images for malware and vulnerabilities at each interval of the development pipeline to prevent threats before deployment.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).