Docker Honeypots Under Rampant Attacks

Researchers flagged a pair of cyber campaigns that showcase the increasing risk in Docker engines including a compromise aimed at launching DoS attacks on Russian targets.

Researchers at Uptycs noticed that attackers compromised the firm’s honeypot with attempts ranging from 10 to 20 times a day , a Docker server configured to allow connections through the remote Docker API. The attacks resulted in the installing cryptomining software and creating a reverse shell, which would have allowed them to explore the server in real time.

Exploiting Honeypots is not a new event. Honeypots maintained by CrowdStrike experienced similar attacks through the Docker remote API, generally assigned to port 2375 or 2376. The honeypots are compromised through the open Docker API and then installed two malicious container images that were used to to attack Russian and Belarusian sites.

The target lists include the websites of the Russian and Belarusian governments, military, media, and retail sectors, as well as Russian mining, manufacturing, chemical, and technology sectors, according to CrowdStrike.

Both DoS-enabling containers are hosted on Docker Hub. One of the images has been downloaded more than 100,000 times; the second has been downloaded 50,000. Part of the downloads originated from compromised machines

Docker is well known in the development and DevOps communities, security professionals may not be as aware of the potential for insecure configurations or vulnerabilities to undermine enterprise security.

To understand their level of risk, businesses should ensure that they can adequately monitor the attack surface area of assets such as Docker, Kubernetes servers, and DevOps-related infrastructure.