Docker Hub Distributes Images with Malware
With Docker’s increasing popularity as a service for application packaging and deployment, malicious actors are seeking for opportunities to target exposed API endpoints and create malware-infected images in order to facilitate mining of cryptocurrencies and DDoS attacks.
A Palo Alto Networks’ Unit 42 threat intelligence team explains in a report that the purpose of the malicious Docker images is to be distributed by the Docker Hub with the idea to generate money through a crypo-currency miner that utilizes Docker containers.
The researchers from the team explain that Docker containers are a simple way to package software, as is evident from their increasing rate of adoption among common users and companies. They share that if used in tandem with coin mining malware Docker containers allows for hackers to deliver their malware-infested images to any Docker-supporting system and instantly start to use its resources for cryptojacking.
Docker is a famous Linux and Windows platform-as-a-service solution (PaaS) for deploying, testing and packaging applications in a contained virtual environment.
The Docker Hub account, named “azurenql”, which was taken down due to distributing malicious images consisted of eight repositories with six malware-infected images capable of stealing Monero cryptocurrency.
The developer of the malware behind the images used a Python script to perform cryptojacking and the help of network anonymizing software like ProxyChains and Tor to prevent being detected.
The coin mining code embedded in the images took advantage of the processing power of the contaminated systems to mine the blocks.
What is quite disturbing is the fact that since the start of the campaign in October 2019, the images hosted on the taken-down account have been collectively pulled more than two million times. One of the wallet IDs has even been used to earn more than 525,38 XMR which equals to $36,000.
DDoS malware targets exposed Docker Servers
A new mass scanning campaign spotted by researchers from Trend Micro reveals that, unprotected Docker servers are being targeted with at least two separate forms of malware – XOR DDoS and Kaiji – both of which are aimed at collecting system information and performing DDoS attacks.
The researchers explain that after searching for open Secure Shell (SSH) and Telnet ports, the attackers usually used botnets to carry out brute-force attacks. The malicious actors are now also just hunting for exposed ports of Docker servers (2375).
It is worth mentioning that both XOR DDoS and Kaiji are regarded as Linux Trojans for their potential to execute DDoS attacks. Kaiji is being developed entirely from scratch using Go programming language and is specifically aimed at IoT devices that it compromises via SSH brute-forcing.
The malware strain of XOR DDoS works by searching out Hosts with open Docker API ports, then submitting a command to list all the containers on the target server, and finally compromising them with the XORDDoS malware. Similarly, Kaiji searches the internet for hosts with exposed port 2375 to deploy a rogue ARM container (“linux arm”) that executes the binary for Kaiji malware.
The researchers also acknowledge the distinctions between the two malware variants and explain that whilst the XOR DDoS attack penetrates the Docker server to infect all its containers, the attack from Kaiji deploys a container of its own which contains its DDoS malware. Furthermore, the two malware pieces collect data such as name of domain, network speeds, CPU and network data that are required to launch a DDoS attack.
The researchers conclude that the malicious actors behind different malware variants constantly update their malicious code with more advanced features so that they can execute assaults from other points of entry. And since Docker servers are a common choice for a lot of users and companies due to their ease of use, this makes them often an enticing target for cyber-criminals searching for networks that they can exploit.
With that being said, it is important that users and businesses operating Docker instances immediately test if their API endpoints are exposed on the Web, close the ports, and apply best online safety practices.