New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Docker Images Containing Cryptojacking Malware Distributed Via Docker Hub

With Docker increasing in popularity as a service to package and deploy software applications, attackers are taking advantage of poor security practices by targeting exposed Docker API endpoints to install malware and creating malware-infested images to mine cryptocurrencies. According to a report from Palo Alto Networks’ Unit 42 threat intelligence team, a Docker Hub account, named “azurenql” publicly shared eight repositories hosting six malicious images capable of mining Monero, a privacy-focused cryptocurrency. The purpose of these Docker images is to generate funds by deploying cryptocurrency miners disguised as Docker images using the Docker Hub to distribute these images. The malicious Docker images were pulled over two million times since October 2019, although the account has since been removed from the Docker Hub platform. Docker is a well-known platform-as-a-service solution for Linux and Windows that allows developers to deploy, test, and package their applications in a virtual environment, essentially isolating the service from the host system that they run on.

Malicious Docker images aren’t the only way that attackers have been compromising organizations using Docker, however. Trend Micro researchers spotted a massive scanning operation looking for unprotected Docker servers connected to the Internet with port 2375 open to receive connections from external sources. These exposed servers are being targeted with at least two different kinds of malware, XOR DDos and Kaiji, to collect system information and carry our DDoS attacks. It’s worth noting that both XOR DDos and Kaiji are Linux trojans known for their ability to conduct DDoS attacks, with the latter written entirely from scratch using the Go programming language. Kaiji normally spreads by targeting IoT devices via SSH brute-forcing, but now has added Docker to its list of targets to scan for and exploit.

Analyst Notes

While Docker is an extremely convenient way to package all the dependencies for software into an image, adoption by developers has outpaced best practices for security in many cases. Security professionals should collaborate with developer and implementation teams to test and validate any Docker images that their company obtains from outside sources, such as Docker Hub. IT operations personnel should also be educated about the dangers inherent in downloading and using Docker images provided by unknown entities. As the two million installations of the malicious images demonstrates, it may be common practice for some organizations to simply search for available images on public services and install what is available without security testing.

To protect installed Docker servers, it is advised that users and organizations who run Docker to immediately check if they have exposed API endpoints on the Internet and close the ports. Attached are the recommendations from Docker on how to further secure systems that are running Docker. It is also advisable to employ a service, such as TrustedSec, that perform penetration testing to look for flaws in security systems and advise organizations on how to correct those flaws.

Source Article:

Docker Security Recommendations: