News

Cybercriminals infect Docker hosts with an open API, and then look for similar ones using Shodan service

Attackers scan the Internet for Docker installations with open APIs and use them to distribute malicious Docker images infected by mining Monero cryptocurrency and scripts that use Shodan for search of new victims.

A new campaign was noticed by Trend Micro researchers after a malicious image with a crypto miner was loaded onto one of their trap installations.

“By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries”, — said inTrend Micro.

According to experts, the attackers use a script to find vulnerable hosts with an open port of 2375, hack them using brute force, and then install malicious containers.

As explained experts of the Alibaba Cloud security team, who also recorded the attacks, the incorrectly configured Docker Remote API can be used for unauthorized access to Docker data, theft or alteration of important information or interception of control over the server.

Infection chain

Attackers use open APIs to execute commands on the Docker host, allowing them to manage containers or create new ones using images from the repository controlled by them on the Docker Hub.

Trend Micro specialists managed to track one of these repositories. User with pseudonym zoolu2 owned it, and the repository itself contained nine images, including custom shell shells, Python scripts, configuration files, as well as Shodan scripts and cryptocurrency mining software.

“Malicious Docker images are distributed automatically using a script that checks“ hosts for publicly available APIs ”and uses Docker commands (POST / containers / create) to create a malicious container remotely. The same script launches the SSH daemon for remote communication with the attackers”, — informed Trend Micro specialists.

Next, crypto liner and the scanning process launched simultaneously to search for new vulnerable hosts. Iplist.txt file contains list of victims’ IP addresses contains that checked for duplicates and then sent to the attackers on C&C server.

Although the Docker team has already deleted the “malicious” repository, experts say that there are other similar accounts on the Docker Hub, and if they are deleted, the attackers are switching to the new ones.

Sources: https://blog.trendmicro.com, https://www.alibabacloud.com/blog

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Netsmediashub.com Pop-up Ads

About Netsmediashub.com Netsmediashub.com pop-ups can not expose out of nowhere. If you have actually clicked…

9 hours ago

Remove News-bhexusa.xyz Pop-up Ads

About News-bhexusa.xyz News-bhexusa.xyz pop-ups can not open out of nowhere. If you have clicked on…

1 day ago

Remove News-bhupotu.xyz Pop-up Ads

About News-bhupotu.xyz News-bhupotu.xyz pop-ups can not launch out of the blue. If you have clicked…

1 day ago

Remove News-bhocime.info Pop-up Ads

About News-bhocime.info News-bhocime.info pop-ups can not open out of the blue. If you have actually…

1 day ago

Remove You-hub.online Pop-up Ads

About You-hub.online You-hub.online pop-ups can not launch out of nowhere. If you have clicked on…

1 day ago

Remove News-bhecudu.live Pop-up Ads

About News-bhecudu.live News-bhecudu.live pop-ups can not introduce out of the blue. If you have clicked…

1 day ago