Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.
During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:
The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:
nginx: Trojan.Linux.Agent.gen;
Dero crypto miner: RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.
After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
Attackers are using Docker Hub for malicious campaigns of various types, including spreading malware, phishing and scams. Read the analysis of 3 malware campaigns.
Four vulnerabilities collectively called "Leaky Vessels" allow hackers to escape containers and access data on the underlying host operating system.
The flaws were discovered by Snyk security researcher Rory McNamara in November 2023, who reported them to impacted parties for fixing.
Snyk has found no signs of active exploitation of the Leaky Vessels flaws in the wild, but the publicity could change the exploitation status, so all impacted system admins are recommended to apply the available security updates as soon as possible.
We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.
CrowdStrike has uncovered a new cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.
Called “Kiss-a-dog,” the campaign used multiple command-and-control (C2) servers to launch attacks that attempted to mine cryptocurrency, utilize user and kernel mode rootkits to hide the activity, backdoor compromised containers, move laterally in the network and gain persistence.
The CrowdStrike Falcon® platform helps protect organizations of all sizes from sophisticated breaches, including cryptojacking campaigns such as this.
Low-level crimeware gang has been exploiting misconfigured and publicly accessible Docker and other cloud instances with roaring success.
Operators of the LemonDuck botnet are targeting Docker instances in a cryptocurrency mining campaign.
Despite the fact that it is not a 'real' vulnerability, escaping privileged Docker containers is nevertheless pretty funny. And because there will always be people who will come up with reasons or excuses to run a privileged container (even though you really shouldn't), this could really be handy at some point in the future
On Feb. 4, Linux announced CVE-2022-0492, a new privilege escalation vulnerability in the kernel. CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers. The issue stands out as one of the simplest Linux privilege escalations discovered in recent times: The Linux kernel mistakenly exposed a privileged operation to unprivileged users.
