Malware, Third-party code

OracleIV emerges as a ‘Dockerized’ DDoS bot agent

The Docker website is displayed on a computer.

Attackers are exploiting a misconfiguration in the Docker Engine API  to deliver a malicious Docker container called OracleIV that acts as a distributed-denial-of-service (DDoS) bot agent capable of conducting attacks.

In a blog post Nov. 13, Cado Security Labs researchers said OracleIV was so named because it’s built from an image called “oracleiv_latest” that contains Python malware compiled as an Executable and Linkable Format (ELF) file.  

Matt Muir, threat research lead at Cado Security Labs, explained that OracleIV demonstrates that attackers continue to search for and exploit misconfigured Docker deployments. Muir said this news should concern any organization that uses Docker in production, especially the Docker Engine API.

“Usage of this API is common in cloud-native and microservice-driven architectures, so we urge security teams tasked with monitoring this technology stack to pay particular attention to securing the Docker host,” said Muir. “In common with similar web-facing services (Jupyter, Redis), it's highly recommended that firewalls and security groups are used to prevent unauthorized access to the API.” 

Muir added that OracleIV highlights the ease in which attackers can hijack an exposed Docker host and run malicious code in a portable way. The campaign also shows that attackers can use Dockerhub, Docker's image hosting library, to host and distribute malicious images. As a result, Muir said Docker users should understand the potential for images hosted on Dockerhub to get shipped with malicious code. He said his team recommends periodic security scanning of these images.

Craig Harber, security evangelist at Open Systems, said exposing the Docker API to the internet is a hacker's dream scenario: it offers them an opportunity to gain an initial foothold into a system.

“There are several published reports of hackers and red teams successfully exploiting this vulnerability,” said Harber. “It justifies why hackers continuously scan the internet, looking for exposed endpoints to exploit. After the hacker identifies a vulnerable endpoint, they send commands to the container to gain unauthorized access to the system.”

Scott Gerlach, co-founder and CSO at StackHawk, said OracleIV shows why security and DevOps teams need to work more closely together. Docker and other containerized options significantly increase the speed and reliability of development, but Gerlach said security teams have to understand the environment to fully gain the benefit without unintended consequences.

Gerlach noted that while it's clearly called out in the documentation, the default deployment of the Docker TCP API is unencrypted and unauthenticated. Gerlach explained that someone in haste, or without fully understanding the environment, might not be aware that this could potentially expose this kind of issue to the public internet.

“There are ways to securely deploy the Docker Engine as well as other container systems, such as Kubernetes,” said Gerlach. “But without understanding of those systems and the environment to which they are deployed, as well as the potential security issues, attackers will continue to find the easy way into a system to accomplish their goals.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.