A new cryptojacking campaign exploiting the Docker Engine API has been discovered. The large-scale hacking campaign is targeting Docker Swarm, Kubernetes, and Secure Socket Shell (SSH) servers. Continue reading this Cybersecurity Threat Advisory to learn how to mitigate your risk from these vulnerabilities.
What is the threat?
The attackers start by scanning the internet for exposed and unauthenticated Docker API endpoints, using tools such as Masscan and ZGrab to locate vulnerable Docker environments. After gaining access, they deploy an Alpine container and download a malicious shell script from a remote server. This script is used to deploy the XMRig cryptocurrency miner, conceal it from process monitoring tools, and spread the attack to other containers through lateral movement.
Once a Docker container is compromised, the attack quickly expands beyond the initial breach. The attackers deploy additional scripts that allow them to move laterally throughout the network, targeting Docker, Kubernetes, and SSH endpoints. These scripts scan local networks for open Docker ports and exploit other hosts running Docker Swarm or Kubernetes orchestration systems.
Why is this noteworthy?
A crucial aspect of the attack includes its ability to broadcast like a worm. The attackers can create new containers on any host with vulnerable Docker endpoints by utilizing a Docker image hosted on Docker Hub. This image executes another script that further spreads the infection, integrating the compromised systems into a larger botnet.
Threat actors leveraged Docker Swarm’s orchestration features for command-and-control (C2) operations as well. You can integrate SSH servers with these tools to manage and secure remote access to the nodes within your clusters. This malware campaign focuses on exploiting Docker and Kubernetes environments, with vulnerabilities in Docker API endpoints serving as the initial access vector for attacks.
What is the exposure or risk?
The most concerning aspect of this attack is the exploitation of Docker Swarm to organize the compromised systems. Docker Swarm is a native orchestration tool that enables multiple Docker engines to function as a unified virtual system. The attackers take advantage of this capability to establish a botnet, allowing them to centrally control all compromised Docker instances. This centralization facilitates large-scale, coordinated crypto-mining operations, generating significant revenue with minimal effort.
Additionally, the attack script forces compromised hosts to detach from any legitimate Docker Swarm they may be part of and join the attackers’ own Swarm. This further extends the threat actor’s control, transforming the compromised hosts into a botnet that can be exploited for cryptojacking or other purposes, such as distributed denial-of-service (DDoS) attacks.
In addition to crypto mining, the attackers establish long-term access to the compromised systems by deploying a series of scripts, including ar.sh, TDGINIT.sh, and pdflushs.sh. These scripts modify firewall rules, clear logs, and create a persistent backdoor via SSH. By adding their SSH keys to the root user’s authorized keys file, the attackers ensure they can maintain access to the compromised hosts, even after reboots or security patches are applied.
What are the recommendations?
Barracuda MSP recommends the following actions to mitigate your risk:
- Authenticate all Docker API endpoints and make sure they are not exposed to the internet.
- Implement strict firewall rules to limit access only to trusted IP addresses.
- Configure Docker and Kubernetes environments to use role-based access control (RBAC), ensuring that only authorized users and services have access to critical functions.
- Monitor Docker and Kubernetes logs regularly for signs of unusual activity, such as unexpected container creation or the presence of unfamiliar scripts.
- Apply the latest security patches to all Docker, Kubernetes, and SSH systems.
- Scan for vulnerabilities regularly.
- Use key-based authentication for SSH and disable password-based logins.
- Audit SSH keys and authorized users regularly to prevent unauthorized access.
- Use intrusion detection systems (IDS) solutions to detect and block suspicious traffic.
References
For more in-depth information about the recommendations, please visit the following links:
- https://medium.com/@costigermano/new-cryptojacking-attack-exploits-docker-api-to-form-a-malicious-swarm-botnet-6ced34536268
- https://cybersecuritynews.com/hackers-exploiting-docker-swarm/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.