With Docker increasing in popularity as a service to package and deploy software applications, attackers are taking advantage of poor security practices by targeting exposed Docker API endpoints to install malware and creating malware-infested images to mine cryptocurrencies. According to a report from Palo Alto Networks’ Unit 42 threat intelligence team, a Docker Hub account, named “azurenql” publicly shared eight repositories hosting six malicious images capable of mining Monero, a privacy-focused cryptocurrency. The purpose of these Docker images is to generate funds by deploying cryptocurrency miners disguised as Docker images using the Docker Hub to distribute these images. The malicious Docker images were pulled over two million times since October 2019, although the account has since been removed from the Docker Hub platform. Docker is a well-known platform-as-a-service solution for Linux and Windows that allows developers to deploy, test, and package their applications in a virtual environment, essentially isolating the service from the host system that they run on.
Malicious Docker images aren’t the only way that attackers have been compromising organizations using Docker, however. Trend Micro researchers spotted a massive scanning operation looking for unprotected Docker servers connected to the Internet with port 2375 open to receive connections from external sources. These exposed servers are being targeted with at least two different kinds of malware, XOR DDos and Kaiji, to collect system information and carry our DDoS attacks. It’s worth noting that both XOR DDos and Kaiji are Linux trojans known for their ability to conduct DDoS attacks, with the latter written entirely from scratch using the Go programming language. Kaiji normally spreads by targeting IoT devices via SSH brute-forcing, but now has added Docker to its list of targets to scan for and exploit.