A set of scripts compromises the security of Docker services
According to reports of cybersecurity and digital forensics specialists from the International Institute of Cyber Security, malicious hackers seeking an easy way to mine cryptocurrency without the users’ consent are actively attacking the publicly exposed Docker services. According to specialists, hackers use a malicious script capable of scanning the network for vulnerable hosts and compromising them.
The entry point is TCP port 2375 or 2376, the default value for accessing the Docker service remotely through the REST management APIs, which allow users to create, start, and stop containers. Unless configured otherwise, both ports provide unencrypted and unauthenticated communication.
According to specialists in digital forensics, Docker containers are very popular because they allow virtualization at the operating system level. This allows you to run applications in a lighter virtual environment, complete with all the dependencies you need.
The researchers at a cybersecurity firm found that the cybercriminals are taking advantage of the poorly configured Docker services to add their own containers, which are run by a Monero mining script.
The infection is spread automatically through scripts and utilities already existing in the attacked system, in a tactic known by digital forensics experts as “living off the earth.” Among these scripts and utilities are Docker, wget, CURL, Bash, Iproute2, MASSCAN, apt-get, yum, Up2date, Pacman, dpkg-Query and SYSTEMD.
According to the research carried out by this firm, once the attacker arrives at a vulnerable host Docker, it starts a container and executes commands to download and start ‘auto.sh’, a script that helps to extend the operation. It also checks the system for specific packages and downloads the missing ones to continue proliferation to other hosts.
The script ‘auto.sh’ is also responsible for initiating the task of Monero mining executing another script called MoneroOcean. This miner is available for free download on GitHub, but the authors of this campaign actually use a variant hosted on Pastebin.
You can jump to different hosts after scanning network subnets connected to infected hosts; the IP addresses of the misconfigured Docker daemons are stored in a text file, processed by additional scripts called ‘test.sh’ and ‘test3.sh’. Its purpose is to traverse each IP address in the list and connect to remote hosts using the Docker client tool.
All of these scripts are hosted on a server that was running until the time the investigation was done. Different mining software called ‘XM’ is also stored on the server; it is considered marked as malicious by 24 different antiviruses on the site VirusTotal.
This is not the first time the auto.sh script is used for cryptojacking. In mid-October an attack campaign was detected in which a script with the same name was detected.
Getting to Docker over the network safely is easily achieved by executing communication over TLS. This is possible when the ‘tlsverify’ indicator is enabled and the definition of a trust certificate for the ‘ Tlscacert ‘ flag. Under this configuration, the daemon Docker only accepts authenticated connections with a trusted certificate. When in client mode, Docker connects only to servers that have a trusted certificate.
In conjunction with cloud computing technology, services exposed to the public Internet are easy prey for perpetrators of any kind of computer threat.