Docker Users Targeted with Crypto Malware Via Exposed APIs

Written by

Hackers are attempting to compromise Docker servers en masse via exposed APIs in order to spread cryptocurrency mining malware, according to researchers.

Aqua Security claimed to have tracked the organized campaign for several months, revealing that thousands of attempts to hijack misconfigured Docker Daemon API ports are taking place almost every single day.

“In this attack, the attackers exploit a misconfigured Docker API port to run an Ubuntu container with the kinsing malicious malware, which in turn runs a cryptominer and then attempts to spread the malware to other containers and hosts,” it explained.

The Ubuntu container itself is designed to disable security measures and clear logs, and kills applications on the system including any other malware, as well as downloading the kinsing malware designed to mine for digital currency on the compromised Docker host.

Once kinsing is downloaded it tries to connect with C&C servers in Eastern Europe, with a different server used for each function. It then attempts to spread laterally across the container network, by collecting and using SSH credentials.

“Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned shell script and run the malware on other hosts or containers in the network,” said Aqua Security.

The cryptominer itself, kdevtmpfsi, is designed to mine for Bitcoin.

DevSecOps teams must up their response to run least privilege access policies, scan images, look for anomalies in user behavior and invest in cloud security tools to enforce policies, argued the vendor.

Containers are increasingly on the front line when it comes to enterprise cyber-threats. Last year researchers found over 40,000 misconfigured Kubernetes and Docker containers online.

It’s not all about user error; in April 2019 Docker Hub, the world’s largest container image library, discovered unauthorized access to its platform affecting 190,000 accounts.

What’s hot on Infosecurity Magazine?