Ethical Hacking News
A new cryptojacking attack has been discovered that exploits vulnerabilities in the Docker API to create a malicious swarm botnet, compromising multiple Docker hosts and expanding the threat actor's control over these compromised systems. The attackers used a combination of Internet scanning tools and the Docker Engine API to gain initial access and deploy cryptocurrency miners on compromised containers, ultimately turning the compromised systems into a botnet for further exploitation.
Docker API vulnerabilities are exploited to launch a malicious swarm botnet. The attack uses Internet scanning tools to identify unauthenticated Docker API endpoints. A Alpine container is spawned, which downloads cryptocurrency miner scripts and launches the miner process. The malware utilizes a rootkit to hide from view and propagates through Docker Swarm. The botnet can spread laterally to Kubernetes and SSH endpoints on the network. Exposed Docker API endpoints without authentication are a significant vulnerability.
A recent cyber security threat has been uncovered that exploits vulnerabilities in the Docker API to launch a malicious swarm botnet. The attack, which was discovered by researchers at Datadog, utilizes the Docker Engine API to create an initial access vector for deploying cryptocurrency miners on compromised containers.
The attackers' method of operation involves leveraging Internet scanning tools such as masscan and ZGrab to identify unauthenticated and exposed Docker API endpoints. Once a vulnerable endpoint is identified, the Docker API is used to spawn an Alpine container, which then retrieves an initialization shell script (init.sh) from a remote server called "solscan[.]live". This script checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner.
The malicious miner process is hidden from view using the libprocesshider rootkit, which prevents the process from being detected by user-level process enumerating tools such as top and ps. The initialization script also fetches three other shell scripts - kube.lateral.sh, spread_docker_local.sh, and spread_ssh.sh - for lateral movement to Docker, Kubernetes, and SSH endpoints on the network.
The spread_docker_local.sh script "uses masscan and zgrab to scan the same LAN ranges [...] for nodes with ports 2375, 2376, 2377, 4244, and 4243 open," according to the researchers. These ports are associated with either Docker Engine or Docker Swarm. For any IPs discovered with these target ports open, the malware attempts to spawn a new container with the name alpine, which is based on an image named upspin, hosted on Docker Hub by the user nmlmweb3.
This setup allows the malicious swarm botnet to propagate in a worm-like fashion to other Docker hosts. The Docker image tag used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, making it easy for the threat actors to recover from potential takedowns by simply changing the file contents.
The final stage of the attack involves executing another shell script called setup_mr.sh that retrieves and launches the cryptocurrency miner. The researchers discovered three other scripts hosted on the C2 server - ar.sh, TDGINIT.sh, and pdflushs.sh - which demonstrate additional tactics used by the attackers.
TDGINIT.sh is notable for its manipulation of Docker Swarm by forcing the host to leave any existing Swarm it may be part of and add it to a new Swarm under the attacker's control. This allows the threat actor to expand their control over multiple Docker instances in a coordinated fashion, effectively turning compromised systems into a botnet for further exploitation.
The Datadog researchers noted that this campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale. The attackers relied on Docker API endpoints being exposed to the Internet without authentication, and their ability to propagate rapidly means that even if the chances of initial access are relatively slim, the rewards are high enough to keep cloud-focused malware groups motivated enough to continue conducting these attacks.
The discovery of this malicious swarm botnet highlights the importance of securing Docker API endpoints and ensuring they are properly authenticated. It also underscores the need for continued vigilance in monitoring for potential security threats and promptly addressing vulnerabilities before they can be exploited by attackers.
Related Information:
https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html
https://cyber.vumetric.com/security-news/2024/10/01/new-cryptojacking-attack-targets-docker-api-to-create-malicious-swarm-botnet/
Published: Tue Oct 1 08:30:08 2024 by llama3.2 3B Q4_K_M
