Exposed Docker hosts can be exploited for cryptojacking attacks

A lack of trusted source security controls is leaving countless containers open to attack.

L0rdix, the Swiss Army knife of Windows hacking, available for purchase in the Dark Web The new tool combines data theft and cryptocurrency mining as a go-to product for attacking Windows machines.

Researchers have uncovered thousands of Docker containers exposed online and ripe for attack for the purposes of illicit cryptocurrency mining.

Docker containers are forms of virtualization technology which can be used to package up code and dependencies for use across different computing environments and operating systems. As containers can be used to streamline IT environments and app testing lifecycles, their use has increased in recent years, with an estimated 3.5 million applications now being used in container environments across the enterprise.

See also: Researchers granted server by gov officials link Sharpshooter attacks to North Korea

It is possible to interact with Docker via terminals or remote application programming interfaces (APIs). However, if these control mechanisms are exposed, this can lead to the compromise of the container and potentially the applications contained within.

A vulnerability, CVE-2019-5736, was publicly reported in February which can be used to secure host root access from a Docker container, and as Imperva researchers note, "the combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host."

Imperva researchers used the Shodan search engine to find open ports running Docker and how many of these were truly exposed and vulnerable to attack. 

In total, the team found 3,822 Docker hosts with the remote API open and public, and after attempting to connect to IPs via port 2735 to list Docker images, a total of 400 IPs out of 3,822 were accessible.

In the image below, the color red indicates Docker images containing cryptocurrency miners, while green highlights production environments and legitimate services such as MySQL or Apache Tomcat.

screenshot-2019-03-05-at-13-12-17.png

Illicit cryptocurrency mining, also known as cryptojacking, leverages stolen PC power to mine for coins such as Ethereum (ETH) and Monero (XMR).

TechRepublic: 3 reasons businesses are still failing at strong cybersecurity

The majority of the cryptojacking scenarios detected by Imperva were set to mine for Monero, although it has not been possible to track the source or wallet destinations for the fraudulently-obtained coins.

Cryptojacking attacks are not the only potential consequence of an open Docker container attack vector. In addition, Imperva says that such systems may be vulnerable to botnet connections, the theft of data, pivot attacks designed to tackle internal networks, and the creation of host services for phishing campaigns.

The use of remote APIs can be of value to developers and Docker users for management purposes and for the integration of third-party apps and services which need API access. However, to tackle this ongoing security issue, access should be restricted to only trusted sources.

CNET: Controversial NSA phone data collection program shut down, aide says

In November, researchers from Threat Stack said that another technique currently in active use against container systems is by probing embedded shell consoles in order to seek out vulnerabilities which can be used to inject and remotely execute code.

Threat Stack has observed recent attacks which use CNRig, based on the XMRig Monero rig, to leverage stolen computing power to mine for cryptocurrencies on vulnerable systems. 

Previous and related coverage