A mission to assess the cloud configuration and cloud threats researches deployed honeypots that mimics Docker hub instance. 3/4 of attacks are related to crypto jacking attacks and Kinsing the most prevailed malware that attacked with its payload
Misconfigured Docker daemons comprise a well-known security issue. Misconfigured daemons allow remote attackers to gain full control over a Docker instance and perform operations, such as deploying new containers and even escalating to the host.
Docker daemon exposes a restful API that allows users to interact with the daemon, which on default listens on a Unix socket. If remote access is required, the daemon can be configured to listen on a TCP socket. The issue is that there is no authentication or authorization mechanism by default when using a TCP socket. Anyone with access to the daemon can gain full privileges.
The majority of attacks were for cryptojacking purposes. Some of them only included a simple miner and some included sophisticated functionalities:
- Hiding miner activity.
- Stopping rival malware.
- Propagating to other machines.
- Gathering information.
- Establishing a command and control (C2) communication.
Other attacks were only for gathering information and sending it to a remote server or deploying tools, such as a distributed denial-of-service (DDoS) agent or a botnet agent.
Some attacks were more prevalent than others and, as seen in the chart below, Kinsing was the most common malware with a total of 360 attacks.
Other than Kinsing ,many malwares found like Cetus, TeamTNT Botnet1 and TeamTNT Botnet2.
The botnets are two different new variants with an end goal of deploying a botnet and a malicious cryptominer. Stealing credentials and deploying cryptominers was the goal
One of the variants also has capabilities that allow it to propagate through misconfigured Docker instances. It scans the internet for misconfigured Docker instances and, once it finds one, it sends the vulnerable IP to a C2 server and propagates by executing a malicious image on the vulnerable instance.
We called the last common attack “Miner A” since we could not determine its operators. It’s a simple XMRig miner that mines Monero.
Misconfigured Docker daemons are a well-known security issue that have been around for years, and attackers continue to take advantage. When comparing the results of our honeypot a year ago, malware that targets the cloud is getting more prevalent as attackers understand the potential of the cloud environment.
Source : PaloAlto