Tag Archive for: Docker
Cryptomining botnet targeting Docker on Linux systems
Credit: Dreamstime
LemonDuck, a well-known cryptomining botnet, is targeting Docker on Linux systems to coin digital money, CloudStrike has reported.
The vendor’s threat research team revealed in a blog written by Manoj Ahuje that the botnet is leveraging Docker APIs exposed to the internet to run malicious containers on Linux systems.
Docker is used to build, run, and mange containerised workloads. Since it runs primarily in the cloud, a misconfigured instance can expose a Docker API to the internet where it can be exploited by a threat actor, who can run a crypto miner inside an outlaw container.
Docker containers a soft target
Mike Parkin, an engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, explains that one of the main ways attackers compromise containerised environments is through misconfigurations, which just shows how many organisations are failing to follow industry best practices.
“There are tools available that can protect these environments from unauthorised use, and workload monitoring tools that can flag unusual activity,” he said in an interview. “The challenge can be coordinating between the development teams and the security teams, but there are risk management tools that can handle that as well.”
Ratan Tipirneni, president and CEO of Tigera, a provider of security and observability for containers, Kubernetes, and cloud, added that while Docker provides a high degree of programmability, flexibility, and automation it has an unintended side effect of increasing the attack surface.
“This is especially true as container technologies get adopted more broadly by the mainstream market,” he said in an interview. “This creates a soft target for adversaries to compromise Docker, since it unlocks a lot of compute power for cryptomining.”
How LemonDuck works
After running its malicious container on an exposed API, LemonDuck downloads an image file named core.png disguised as a bash script, Ahuje explained. Core.png acts as a pivot point for setting up a Linux…
A crypto-mining botnet is now stealing Docker and AWS credentials
Analysts from security firm Trend Micro said in a report today that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials.
Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms.
Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.
Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company’s other IT systems to infect even more servers and deploy more crypto-miners.
At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials.
TeamTNT gets more refined
But in a report today, Trend Micro researchers said that the TeamTNT gang’s malware code had received considerable updates since it was first spotted last summer.
“Compared to past similar attacks, the development technique was much more refined for this script,” said Alfredo Oliveira, a senior security researcher at Trend Micro.
“There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.”
Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.
This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.
Oliveira points out that with the addition of this feature, “implementing [Docker] API authentication is not enough” and that companies should make sure Docker management APIs aren’t exposed online in the first place, even when using strong passwords.
But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy…