Researchers from Unit 42 have uncovered a new Cryptojacking worm dubbed “Graboid” that has spread to over 2,000 unsecured Docker hosts. Unit 42 derived this name by paying homage to the 1990’s movie “Tremors,” since this worm behaves similarly to the sandworms in the movie. A crypto-jacking worm is defined as malware that uses victim computers’ CPU resources to run the intensive calculations needed to “mine” digital currencies and automatically spread to other computers to do the same. The research shows that this is the first Cryptojacking worm that is spread using containers in the Docker engine. Authors of the Graboid worm gained an initial foothold through unsecured Docker hosts where a Docker image was first installed. After this, the crypto-jacking worm is deployed to mine for the Monero crypto-currency. Meanwhile, the worm periodically checks for new vulnerable hosts from the Command and Control (C&C) server and selects the next target at random. Docker image “pocosow/centos” contains a docker client tool that is used to communicate with other Docker hosts. Additionally, “pocosow/centos” is used to download a set of four shell scripts from the C&C server and execute them. Researchers noted that “pocosow/centos” docker image had been downloaded more than 10,000 times. The research also shows that it takes about 60 minutes to reach all the 1,400 vulnerable hosts. On average, there are almost 900 active miners at any given time and each miner is active 63% of the time. Each mining period lasts for approximately 250 seconds. The researchers concluded, “While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored. If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so organizations must safeguard their Docker hosts.”
Organizations should never expose a docker daemon to the internet without any authentication. The docker daemons should be periodically checked for unknown containers or images in the system. It is always recommended to use Unix socket to communicate with Docker daemon locally or use SSH to connect remotely. Firewall rules should be used to whitelist incoming traffic to a small set of sources. The researchers at Unit 42 were able to find exposed Docker daemons by using a simple search on Shodan.io. IT security professionals should periodically search the public IP address space of their company using tools like shodan.io and censys.io to discover whether any public-facing servers are advertising services that should not be public.