Home Malware Cryptojacking worm infects exposed Docker deployments

Cryptojacking worm infects exposed Docker deployments

by ethhack

Attackers are exploiting Docker Engine deployments that are exposed to the internet without authentication to deploy and run cryptojacking malware on servers. A new cryptojacking botnet with self-spreading capabilities has infected over 2,000 such Docker deployments so far.

“There have been incidents of cryptojacking malware spreading as a worm, but this is the first time we see a cryptojacking worm spread using containers in the Docker Engine (Community Edition),” researchers from Palo Alto Networks said in a report released today. “Because most traditional endpoint protection software does not inspect data and activities inside containers, this type of malicious activity can be difficult to detect.”

A botnet with unusual behavior

The new worm has been dubbed Graboid and was distributed from Docker Hub, a public repository of Docker container images. Attackers uploaded images to Docker Hub with malicious scripts that, when executed, deployed the malware to other insecure servers.

The researchers found several container images associated with the attack for different stages of the infection chain. They have been removed after the Docker Hub maintainers were notified of the abuse.

One image was based on CentOS and its purpose was to connect to predefined command-and-control (C2) servers to download and execute four shell scripts. It also contained a Docker client for sending commands to exposed Docker daemons.

One of the scripts delivered by the C2 servers collected details about the compromised environment, such as the number of available CPUs, and sent the information back to the attackers. Another script downloaded a list of over 2,000 IP addresses corresponding to insecure Docker API endpoints, randomly picked one of them and used the Docker client to connect to it and deploy the same rogue container image from Docker Hub, thus achieving self-propagation.

Copyright © 2019 IDG Communications, Inc.

Source link

Related Articles

Leave a Comment