In what researchers say is a first, attackers are performing a new container attack technique in the wild, whereby they build their own malicious images on a targeted host instead of pulling preexisting ones from a public registry. This maneuver allows the adversaries to avoid static detection by scanners that are programmed to look for suspicious images.
The attack exploits misconfigured Docker API ports in order to infect victims with a resource-hijacking cryptominer, according to a new blog post from Aqua Security, whose researchers uncovered the scheme.
“This is yet another step in the super-fast evolution of attacks against cloud-native environments in just the past couple of years,” said says the post, from Assaf Morag, lead data analyst.
“Normally, attacks against misconfigured Docker API are initiated by pulling an image from a public registry (i.e. Docker Hub) and spinning up the container on the targeted host environment,” explains Morag. But by building an original image on the host, scanners likely won’t detect a problem “since the image is built upon a standard Alpine base image and would most probably be marked as benign.”
Indeed, because images’ names and perhaps even IDs are randomly created, security personnel can’t easily add these images to deny/block lists in order to facilitate future detection of such threats. The technique also improves the persistency of the attack because the malicious image can’t be taken down if it’s not stored anywhere in the first place.
Fortunately, Morag advises that dynamic threat analysis that seeks out anomalous behavior should help block this attack technique.
In the observed attack, the adversary used a Docker SDK for Python package to send various malicious commands to vulnerable Docker implementations. The first of these commands is designed to determine if a Docker server has an exposed API. If so, the attackers then use a GET request to receive a list of containers on the host. Next, they use a A POST request with a Docker build command to create an image on the host. At that point, the attackers create a new malicious container based on the image and then run said container and ultimately execute an ELF file, which turns out to be the XMRig cryptominer.