Most of these attacks followed a very simple pattern where threat actors scanned for misconfigured systems that had admin interfaces exposed online in order to take over servers and deploy cryptocurrency-mining malware.
Over the past three years, these attacks have intensified, and new malware strains and threat actors targeting Docker (and Kubernetes) are now being discovered on a regular basis.
But despite the fact that malware attacks on Docker servers are now commonplace, many web developers and infrastructure engineers have not yet learned their lesson and are still misconfiguring Docker servers, leaving them exposed to attacks.
The most common of these mistakes is leaving Docker remote administration API endpoints exposed online without authentication.
The latest of these malware strains was discovered last week by Chinese security firm Qihoo 360. Named Blackrota, this is a backdoor trojan that is basically a simplified version of the CarbonStrike beacon implemented in the Go programming language.
Only a Linux version was discovered until now, and it is unclear how this malware is being used. Researchers don't know if a Windows version also exists, if Blackrota is being used for cryptocurrency mining, or if it's used for running a DDoS botnet on top of powerful cloud servers.
What is known is that Blackrota relies on developers who have made a mistake and accidentally misconfigured their Docker servers.
The lesson from Blackrota and past attacks is that Docker is not a fringe technology anymore. Threat actors are now targeting it on purpose with at-scale attacks on a near daily basis.
Companies, web developers, and engineers running Docker systems are advised to review the official Docker documentation to make sure they have secured Docker's remote management capabilities with proper authentication mechanisms, such as certificate-based authentication systems.
With Docker gaining a more prominent place in modern-day infrastructure setup, with attacks on the rise, and with the number of malware strains that target Docker systems growing by the month, it's time that developers took Docker security seriously.