A cyber legal gang has targeted inadequately configured Docker containers to mine for cryptocurrency.
In October, security scientists at Development Micro learned hackers concentrating on improperly configured servers with exposed Docker Relaxation APIs by spinning up containers from photographs that execute malicious scripts.
These scripts did 3 points. 1st, the downloaded or bundled Monero cryptocurrency coin miners. 2nd, they done container-to-host escape utilizing perfectly-recognised strategies. Lastly, they carried out internet-huge scans for uncovered ports from compromised containers.
The campaign’s compromised containers also tried to accumulate info, these as the server’s operating technique, the container registry established for use, the server’s architecture, present swarm participation position, and the range of CPU cores.
To achieve additional details about the misconfigured server, this kind of as uptime and complete memory obtainable, threat actors also spin up containers applying docker-CLI by setting the “–privileged” flag, utilizing the network namespace of the underlying host “–net=host,” and mounting the fundamental hosts’ root file process at container route “/host”.
The scientists located Docker Hub registry accounts that had been both compromised or belong to TeamTNT.
“These accounts have been getting used to host malicious visuals and were being an active component of botnets and malware strategies that abused the Docker Relaxation API,” explained researchers. They then contacted Docker to have the accounts eliminated.
Pattern Micro scientists explained the exact hackers also used credential stealers that would obtain credentials from configuration files back in July. Researchers believe that this is how TeamTNT received the info it utilized for the compromised web pages in this attack.
“Based on the scripts remaining executed and the tooling becoming utilised to supply coinminers, we get there at the pursuing conclusions connecting this attack to TeamTNT,” stated researchers. “’alpineos’ (with a total of more than 150,000 pulls with all illustrations or photos mixed) is 1 of the main Docker Hub accounts getting actively utilised by TeamTNT. There are compromised Docker Hub accounts that are currently being managed by TeamTNT to unfold coin mining malware.”
Scientists said that exposed Docker software programming interfaces (APIs) have become principal targets for attackers. These let them to execute their malicious code with root privileges on a specific host if security factors are not accounted for.
“This the latest attack only highlights the growing sophistication with which uncovered servers are specific, in particular by able risk actors like TeamTNT that use compromised person credentials to satisfy their destructive motives,” they added.
Some elements of this article are sourced from: