A new campaign was noticed by Trend Micro researchers after a malicious image with a crypto miner was loaded onto one of their trap installations.
“By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries”, — said inTrend Micro.
According to experts, the attackers use a script to find vulnerable hosts with an open port of 2375, hack them using brute force, and then install malicious containers.
As explained experts of the Alibaba Cloud security team, who also recorded the attacks, the incorrectly configured Docker Remote API can be used for unauthorized access to Docker data, theft or alteration of important information or interception of control over the server.
Attackers use open APIs to execute commands on the Docker host, allowing them to manage containers or create new ones using images from the repository controlled by them on the Docker Hub.
Trend Micro specialists managed to track one of these repositories. User with pseudonym zoolu2 owned it, and the repository itself contained nine images, including custom shell shells, Python scripts, configuration files, as well as Shodan scripts and cryptocurrency mining software.
“Malicious Docker images are distributed automatically using a script that checks“ hosts for publicly available APIs ”and uses Docker commands (POST / containers / create) to create a malicious container remotely. The same script launches the SSH daemon for remote communication with the attackers”, — informed Trend Micro specialists.
Next, crypto liner and the scanning process launched simultaneously to search for new vulnerable hosts. Iplist.txt file contains list of victims’ IP addresses contains that checked for duplicates and then sent to the attackers on C&C server.
Although the Docker team has already deleted the “malicious” repository, experts say that there are other similar accounts on the Docker Hub, and if they are deleted, the attackers are switching to the new ones.
Sources: https://blog.trendmicro.com, https://www.alibabacloud.com/blog
About Netsmediashub.com Netsmediashub.com pop-ups can not expose out of nowhere. If you have actually clicked…
About News-bhexusa.xyz News-bhexusa.xyz pop-ups can not open out of nowhere. If you have clicked on…
About News-bhupotu.xyz News-bhupotu.xyz pop-ups can not launch out of the blue. If you have clicked…
About News-bhocime.info News-bhocime.info pop-ups can not open out of the blue. If you have actually…
About You-hub.online You-hub.online pop-ups can not launch out of nowhere. If you have clicked on…
About News-bhecudu.live News-bhecudu.live pop-ups can not introduce out of the blue. If you have clicked…