A new campaign was noticed by Trend Micro researchers after a malicious image with a crypto miner was loaded onto one of their trap installations.
“By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries”, — said inTrend Micro.
According to experts, the attackers use a script to find vulnerable hosts with an open port of 2375, hack them using brute force, and then install malicious containers.
As explained experts of the Alibaba Cloud security team, who also recorded the attacks, the incorrectly configured Docker Remote API can be used for unauthorized access to Docker data, theft or alteration of important information or interception of control over the server.
Attackers use open APIs to execute commands on the Docker host, allowing them to manage containers or create new ones using images from the repository controlled by them on the Docker Hub.
Trend Micro specialists managed to track one of these repositories. User with pseudonym zoolu2 owned it, and the repository itself contained nine images, including custom shell shells, Python scripts, configuration files, as well as Shodan scripts and cryptocurrency mining software.
“Malicious Docker images are distributed automatically using a script that checks“ hosts for publicly available APIs ”and uses Docker commands (POST / containers / create) to create a malicious container remotely. The same script launches the SSH daemon for remote communication with the attackers”, — informed Trend Micro specialists.
Next, crypto liner and the scanning process launched simultaneously to search for new vulnerable hosts. Iplist.txt file contains list of victims’ IP addresses contains that checked for duplicates and then sent to the attackers on C&C server.
Although the Docker team has already deleted the “malicious” repository, experts say that there are other similar accounts on the Docker Hub, and if they are deleted, the attackers are switching to the new ones.
Sources: https://blog.trendmicro.com, https://www.alibabacloud.com/blog
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…