Threat actors have exploited misconfigured Docker containers to deliver cryptomining malware.
“Docker implements virtualization on the operating system (OS) level — also known as containerization,” Trend Micro researchers said in an Oct. 25 blog post. “The Docker APIs, in particular, allow remote users to control Docker images like a local Docker client does. Opening the API port for external access is not recommended, as it can allow hackers to abuse this misconfiguration for malicious activities.”
The attacks weren’t the result of the Docker engine being compromised or problems within Docker’s enterprise platform but instead were the result of misconfiguration set up at the administrator level.
While researchers noted misconfigurations aren’t new, it can be a perennial challenge for organizations since many of them, especially in China, still have their Docker hosts misconfigured. Researchers also noted misconfigured Docker hosts in the U.S., France, Germany, Singapore, Netherlands, United Kingdom, Japan, India, and Ireland with the majority of them running Linux OS.
In addition more than half of the exposed hosts were running version 18.06.1-ce, which is a relatively recent Docker release/version, although it was also noted that there were misconfigurations across different versions as well.
The attackers often exploited the misconfigurations to create Docker containers through exposed API ports and then installing a wget package using system package manager, using wget to download an auto-deployment script, converting the script from DOS to Unix format, setting the executable permissions for the script, and running the script.
Docker API isn’t new and researchers noted previous instances in which similar misconfigurations resulted in exploitation such as in April 2017 when attacker eployed an additional SSH key on the compromised system and installed a distributed-denial-of-service (DDoS) bot along with other malware to ensure that the deployed bot would automatically restart on startup.
In order to prevent similar attacks researchers recommend organizations: harden their security posture; ensure that container images are authenticated, signed, and from a trusted registry; enforce the principle of least privilege; properly configure how much resources containers are allowed to use; and enable Docker’s built-in security features to help defend against threats.