A newly discovered botnet malware exploits an API misconfiguration in the open-source version of the DevOps tool, Docker Engine-Community, to infiltrate containers and run a variant of the Linux botnet malware AESDDoS, according to a Trend Micro blog post.
“Docker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which runs with root permission, will execute,” Trend Micro researchers wrote.
“Allowing external access — whether intentionally or by misconfiguration — to API ports allows attackers to gain ownership of the host, giving them the ability to poison instances running within it with malware and to gain remote access to users’ servers and hardware resources,” the blog post noted.
External access to API ports allows attackers to gain ownership of the host, giving them the ability to ultimately gain remote access to users’ servers and hardware resources.
Researchers also noticed threat actors abusing a tool called a Docker Batch Test that was developed to detect vulnerabilities in Docker.
To prevent similar container-based incidents from taking place, researchers recommended users check API configuration, implement the principle of least privilege, follow recommended best practices and employ automated runtime and image scanning to gain further visibility into a container’s processes.