For months now, cybercriminals have been making the most of misconfigured Docker containers to carry out cryptojacking.
“Commando Cat” — not the one marketing campaign focusing on Docker these days — traces again to the start of the yr. In keeping with the most recent replace from Development Micro, the unknown attackers are nonetheless exploiting Docker misconfigurations to achieve unauthorized entry to containerized environments, utilizing Docker pictures to deploy cryptocurrency miners and make a fast buck.
Manipulating Docker Containers
For a very long time now, containerization has been helpful for organizations. Extra not too long ago, it additionally has been helpful for cyberattackers.
“What we’re seeing is cybercriminals using these identical Docker capabilities to get their very own containers operating in your infrastructure,” explains Al Carchrie, R&D lead options engineer at Cado Safety, the primary to uncover Commando Cat (in addition to the opposite newest Docker exploitation) again in January. “There are two methods you are able to do that. You may register a container inside a library, and you may then name that container from the library that comprises your malicious code, and get that malicious code to run. We’re beginning to see individuals transfer away from that, as a result of the libraries are doing a extremely good job of on the lookout for malicious containers.”
Commando Cat takes the opposite strategy: utilizing benign containers as clean slates upon which they will pull in and run their malicious code.
To do that, as in so many fashionable cyberattacks, the menace actor first identifies uncovered endpoints to hone in on. On this case, these endpoints are Docker distant API servers. “9 occasions out of 10, that is going to return all the way down to a misconfiguration. As we see with various incidents, whether or not within the cloud or on premise or hybrid, it is just about all the way down to oversight,” Carchrie notes.
With uncovered endpoints as an preliminary technique of entry, the attacker deploys a innocent Docker picture utilizing the open supply software Commando, then makes use of it as the idea to create a brand new container. Then, utilizing the “chroot” Linux operation and quantity binding — a method of linking directories in host programs with Docker containers — they peek exterior of the container and in the end escape to the host working system.
By the top, they will set up a command-and-control (C2) channel and add their cryptojacking malware.
What Organizations Can Do
Commando Cat’s assaults have been streamlined considerably from earlier this yr, when its payloads included scripts designed to backdoor the goal system, set up persistence, exfiltrate cloud credentials, and extra. What’s clear is that, beneath completely different circumstances, this identical type of assault may result in excess of simply cryptojacking.
To mitigate that danger, Development Micro recommends organizations use solely official or licensed Docker pictures, keep away from operating containers with root privileges, carry out common safety audits, and cling to common tips and finest practices round containers and APIs.
And most of all, Carchrie emphasizes, “Ensure that your Docker container’s API is just not immediately accessible to the Web.”