When the container is deployed and stimulated, it releases an auto.sh script that further downloads a Monero miner and configures it to launch instinctively. The script even downloads the port scanning software, in an effort to test for the various vulnerable Docker Engine instances on port 2375 and 2376 and additionally try to spread to them.
Scan all networks seen from the host, with a scan rate of 50,000 packets per second, for open port 2375 and 2376; the result is saved in local.txt (anonymized/defanged):
masscan “[email protected]” -p2375,2376 –rate=50000 -oG local.txt;
Conduct lateral movement by infecting or abusing more hosts found in previous reconnaissance:
sudo sed -i ‘s/^Host: ([0-9.]*).*Ports: ([0-9]*).*$/1:2/g’ local.txt;
sudo sh test3.sh local.txt;
With this method, a whole lot of Docker Engine containers can be gathered that mine coins for the attacker.
Although Docker Engine API abuse isn’t new, but it continues to be a hassle due to the fact that the administrators don’t legitimately secure their systems. To keep attackers from abusing the insecure Docker Engine implementations, Trend Micro proposes that the administrators make use of the following security measures:
- Harden the security posture. The Centre for Internet Security (CIS) has a reference that can help system administrators and security teams establish a benchmark to secure their Docker engine.
- Ensure that container images are authenticated, signed, and from a trusted registry (i.e., Docker Trusted Registry). Employing automated image scanning tools helps improve development cycles.
- Enforce the principle of least privilege. For instance, restrict access to the daemon and encrypt the communication protocols it uses to connect to the network. Docker has guidelines on how to protect the daemon socket.
- Properly configure how much resources containers are allowed to use (control groups and namespaces).
- Enable Docker’s built-in security features to help defend against threats. Docker has several guidelines on how to securely configure Docker-based applications