A mission to assess the cloud configuration and cloud threats researches deployed honeypots that mimics Docker hub instance. 3/4 of attacks are related to crypto jacking attacks and Kinsing the most prevailed malware that attacked with its payload

Misconfigured Docker daemons comprise a well-known security issue. Misconfigured daemons allow remote attackers to gain full control over a Docker instance and perform operations, such as deploying new containers and even escalating to the host.

Cloud Misconfiguration

Docker daemon exposes a restful API that allows users to interact with the daemon, which on default listens on a Unix socket. If remote access is required, the daemon can be configured to listen on a TCP socket. The issue is that there is no authentication or authorization mechanism by default when using a TCP socket. Anyone with access to the daemon can gain full privileges.

Attack Hierarchy

The majority of attacks were for cryptojacking purposes. Some of them only included a simple miner and some included sophisticated functionalities:

  • Hiding miner activity.
  • Stopping rival malware.
  • Propagating to other machines.
  • Gathering information.
  • Establishing a command and control (C2) communication.

Other attacks were only for gathering information and sending it to a remote server or deploying tools, such as a distributed denial-of-service (DDoS) agent or a botnet agent.

The breakdown of attacks caught in our Docker honeypot include 76.2% cryptojacking, 9.5% botnet, 9.5% gather information, and 4.8% DDoS agent.
Figure 1. Attacks payloads.

Some attacks were more prevalent than others and, as seen in the chart below, Kinsing was the most common malware with a total of 360 attacks.

The top five common attacks we caught in our Docker honeypot include Kinsing, Cetus, TeamTNT Botnet A, Team TNT Botnet B and Miner A.
Figure 2. Top five common attacks.

Other than Kinsing ,many malwares found like Cetus, TeamTNT Botnet1 and TeamTNT Botnet2.

The botnets are two different new variants with an end goal of deploying a botnet and a malicious cryptominer. Stealing credentials and deploying cryptominers was the goal

One of the variants also has capabilities that allow it to propagate through misconfigured Docker instances. It scans the internet for misconfigured Docker instances and, once it finds one, it sends the vulnerable IP to a C2 server and propagates by executing a malicious image on the vulnerable instance.

We called the last common attack “Miner A” since we could not determine its operators. It’s a simple XMRig miner that mines Monero.

Final Thoughts

Misconfigured Docker daemons are a well-known security issue that have been around for years, and attackers continue to take advantage. When comparing the results of our honeypot a year ago, malware that targets the cloud is getting more prevalent as attackers understand the potential of the cloud environment.

Source : PaloAlto