Attackers scan the Internet for Docker installations with open APIs and use them to distribute malicious Docker images infected by mining Monero cryptocurrency and scripts that use Shodan for search of new victims.
A new campaign was noticed by Trend Micro researchers after a malicious image with a crypto miner was loaded onto one of their trap installations.
“By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries”, — said inTrend Micro.
According to experts, the attackers use a script to find vulnerable hosts with an open port of 2375, hack them using brute force, and then install malicious containers.
As explained experts of the Alibaba Cloud security team, who also recorded the attacks, the incorrectly configured Docker Remote API can be used for unauthorized access to Docker data, theft or alteration of important information or interception of control over the server.
Attackers use open APIs to execute commands on the Docker host, allowing them to manage containers or create new ones using images from the repository controlled by them on the Docker Hub.
Trend Micro specialists managed to track one of these repositories. User with pseudonym zoolu2 owned it, and the repository itself contained nine images, including custom shell shells, Python scripts, configuration files, as well as Shodan scripts and cryptocurrency mining software.
“Malicious Docker images are distributed automatically using a script that checks“ hosts for publicly available APIs ”and uses Docker commands (POST / containers / create) to create a malicious container remotely. The same script launches the SSH daemon for remote communication with the attackers”, — informed Trend Micro specialists.
Next, crypto liner and the scanning process launched simultaneously to search for new vulnerable hosts. Iplist.txt file contains list of victims’ IP addresses contains that checked for duplicates and then sent to the attackers on C&C server.
Although the Docker team has already deleted the “malicious” repository, experts say that there are other similar accounts on the Docker Hub, and if they are deleted, the attackers are switching to the new ones.