Ethical Hacking News
Threat actors are targeting Docker API servers to deploy SRBMiner crypto miners on compromised instances, exploiting vulnerabilities in the gRPC protocol to execute malicious operations.
Docker API servers are vulnerable to exploitation by attackers. The attack vector involves using gRPC protocol over h2c to bypass security measures. Attackers exploit vulnerabilities in Docker functionalities, including health checks, file synchronization, authentication, secrets management, and SSH forwarding. Cybercriminals deploy SRBMiner crypto miners on compromised instances using the h2c protocol.
Crooks have been exploiting vulnerabilities in Docker API servers to deploy SRBMiner crypto miners on compromised instances, according to recent warnings from Trend Micro. This cyber threat highlights the growing importance of robust security measures for containerization platforms like Docker.
The attack vector involves threat actors targeting Docker remote API servers to deploy SRBMiner crypto miners on compromised instances. Trend Micro researchers observed that attackers used the gRPC protocol over h2c to bypass security and execute crypto mining on Docker hosts, manipulating Docker functionalities via gRPC methods. The attackers first checked the availability and version of the Docker API, then proceeded with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities.
The attack sequence begins with scanning for public-facing Docker API hosts and checking for HTTP/2 upgrades, followed by a connection upgrade request to the unencrypted h2c protocol. Next, attackers check for gRPC methods to perform operations on Docker environments, including those that can be used to perform health checks, file synchronization, authentication, secrets management, and SSH forwarding.
After exploiting these vulnerabilities, attackers upgraded their connection using the h2c protocol and executed the `/moby.buildkit.v1.Control/Solve` gRPC request to build a Docker image-based `Dockerfile.srb`, which contains Docker container building details based on a legitimate Docker image. The attacker then downloaded SRBMiner from GitHub, unzipped it into a temporary directory, and deployed it in the `/usr/sbin` directory.
Finally, attackers started the mining process using a Ripple wallet and masked their public IP address by replacing periods with underscores. Trend Micro's analysis highlights that cybercriminals can exploit features like remote management APIs to their advantage, using the gRPC protocol over H2C to bypass several security layers and deploy SRBMiner crypto miners on Docker hosts.
Related Information:
https://securityaffairs.com/170144/malware/docker-remote-api-servers-srbminer.html
https://thehackernews.com/2024/10/cybercriminals-exploiting-docker-api.html
Published: Wed Oct 23 09:00:55 2024 by llama3.2 3B Q4_K_M
