Docker
A new cryptojacking attack exploits Docker Swarm and Kubernetes via exposed APIs...
Cybersecurity researchers have disclosed a new, sophisticated cryptojacking campaign that targets the [Docker](https://www.secureblink.com/cyber-security-news/new-cyberattack-targets-docker-ap-is-with-advanced-cryptojacking-tactics-1) Engine API to hijack cloud resources and create a malicious Docker Swarm botnet.
In a detailed Datadog Security Research analysis, attackers exploit unauthenticated and exposed Docker Engine API endpoints to deploy cryptocurrency miners on compromised containers. By leveraging Docker Swarm's orchestration features for command-and-control (C2) purposes, the attackers effectively turn compromised systems into coordinated botnets.
This [Threatfeed](https://www.secureblink.com/cyber-security-news) delves into the mechanics of the critical cryptojacking attack, the tools, and scripts leveraged by the threat actors, and provides comprehensive recommendations for safeguarding against such threats.
## Understanding the Attack Vector
### Initial Access via Exposed Docker APIs
Attackers initiate the campaign by scanning the internet for exposed Docker Engine API endpoints using tools like **masscan** (a fast port scanner) and **ZGrab** (an application layer scanner). These endpoints, typically listening on ports **2375**, **2376**, **2377**, **4243**, and **4244**, can be unauthenticated and, if misconfigured, provide root-level access to the host.
**Quote from Datadog's Report:**
> "We have discovered a new cryptojacking campaign targeting Docker Engine API, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers." — [Datadog Security Research](https://securitylabs.datadoghq.com/articles/threat-actors-leveraging-docker-swarm-kubernetes-mine-cryptocurrency/)
### Deployment of Malicious Containers
Once an exposed API is found, the attackers spawn an Alpine Linux container with the host's filesystem mounted inside. This container retrieves an initialization shell script (`init.sh`) from a remote server (`solscan[.]live`). The script performs several actions:
- Ensures data transfer tools like `curl` and `wget` are installed.
- Checks for root privileges.
- Downloads and executes the **XMRig** miner for cryptocurrency mining.
- Installs a custom **libprocesshider** rootkit to hide malicious processes.
### Hiding Malicious Activity
The **libprocesshider** rootkit is employed to conceal the **XMRig** miner process from system monitoring tools like `top` and `ps`, making it difficult for administrators to detect unusual activity.
## Lateral Movement and Propagation
### Additional Payloads and Scripts
The `init.sh` script also fetches additional scripts for lateral movement:
1. **`kube.lateral.sh`**: Targets Kubernetes environments.
2. **`spread_docker_local.sh`**: Scans local network ranges for other Docker hosts.
3. **`spread_ssh.sh`**: Attempts to spread via SSH by adding authorized keys and creating new users.
### Targeting Kubernetes with `kube.lateral.sh`
The script disables security measures like firewalls and SELinux before scanning local network ranges for open **Kubelet API** ports (10250). If vulnerable Kubernetes nodes are found, it can execute commands to deploy the miner on pods running on those nodes.
### Scanning and Exploitation with `spread_docker_local.sh`
- Uses `masscan` and `zgrab` to find hosts with open Docker-related ports.
- Deploys malicious containers on discovered hosts using images hosted on Docker Hub by user **nmlmweb3**.
- The images execute `init.sh`, propagating the malware.
### SSH Backdoors with `spread_ssh.sh`
- Scans for SSH servers on the local network.
- Adds a new SSH key and creates a new user named **ftp** with root privileges.
- Searches for credential files related to SSH, AWS, Google Cloud, and Samba, particularly targeting GitHub Codespaces environments.
- Uploads any found credentials to the C2 server.
### Manipulating Docker Swarm with `TDGINIT.sh`
- Forces compromised Docker hosts to leave existing Swarms.
- Joins them to a new Swarm controlled by the attacker using a predefined token.
- Allows attackers to use Docker Swarm's orchestration for C2, issuing commands across all compromised nodes.
## Persistence Mechanisms
### Process Hiding and Dynamic Linker Hijacking
- Uses **Dynamic Linker Hijacking** by modifying `/etc/ld.so.preload` to ensure the rootkit is loaded for every new process.
- Hides the **XMRig** miner process, preventing detection.
### Cron Jobs and Immutable Files
- Installs cron jobs to maintain persistence.
- Uses the `chattr +ai` command to make backdoor files immutable, preventing their removal or modification.
## Broader Implications
### Threat to Cloud Infrastructure
This campaign highlights significant risks:
- **Resource Drain**: Cryptocurrency mining consumes substantial CPU and memory resources, affecting performance and increasing costs.
- **Security Risks**: Attackers with root access can exfiltrate data, install additional malware, or use the infrastructure for further attacks.
- **Botnets**: Compromised hosts can be coordinated for distributed denial-of-service (DDoS) attacks or other malicious activities.
### Potential Attribution to TeamTNT
While some tactics resemble those of **[TeamTNT](https://www.secureblink.com/cyber-security-news/teamtnt-targets-compromised-docker-hub-accounts-to-distribute-crypto-mining-malware)**, a known threat group specializing in cloud-focused attacks, definitive attribution remains uncertain.
## Recommendations for Prevention and Mitigation
1. **Secure Docker API Endpoints**:
- Do not expose the Docker Engine API to the internet.
- Secure it with TLS authentication and firewall rules.
2. **Regularly Update and Patch Systems**:
- Keep Docker, Kubernetes, and associated services updated.
- Apply security patches promptly.
3. **Monitor Network Traffic and Logs**:
- Use intrusion detection systems (IDS) to monitor for unusual activity.
- Be alert for large outbound traffic volumes indicative of cryptomining or data exfiltration.
- Regularly check system logs for unauthorized modifications.
4. **Implement Principle of Least Privilege**:
- Limit user permissions and avoid running containers as root when possible.
- Use role-based access control (RBAC) in Kubernetes.
5. **Use Security Tools and Best Practices**:
- Employ tools like Docker Bench Security to assess the security posture.
- Utilize cloud security posture management (CSPM) solutions for continuous monitoring.
- Enable logging and monitoring features in Docker and Kubernetes.
6. **Educate and Train Staff**:
- Ensure that DevOps and IT teams are aware of security best practices for containerized environments.
- Conduct regular security awareness training.
7. **Audit and Secure Credentials**:
- Regularly audit credentials and keys stored in environments like GitHub Codespaces.
- Use secrets management tools to store sensitive information securely.
## Conclusion
The discovery of this cryptojacking campaign underscores the critical need for securing containerized environments. Exposed Docker APIs and misconfigured Kubernetes clusters present significant risks, enabling attackers to mine cryptocurrency and establish botnets for broader malicious activities.
Organizations must proactively secure their Docker and Kubernetes environments, regularly audit configurations, and stay informed about emerging threats. By implementing robust security measures and educating staff, the risk of such attacks can be significantly mitigated.
## Indicators of Compromise (IOCs)
- **Files and Scripts**:
- `init.sh`, `kube.lateral.sh`, `spread_docker_local.sh`, `spread_ssh.sh`, `ar.sh`, `TDGINIT.sh`, `pdflushs.sh`
- Use of `libprocesshider` rootkit
- **Domains and IPs**:
- `solscan.live`
- `147.75.47.199`
- Docker Hub user `nmlmweb3`
- **Ports Targeted**:
- Docker ports: 2375, 2376, 2377, 4243, 4244
- Kubernetes Kubelet API port: 10250
- SSH port: 22
## References
- [Datadog Security Research Detailed Analysis](https://www.datadoghq.com/blog/threat-actors-leverage-docker-swarm-and-kubernetes-to-mine-cryptocurrency-at-scale/)
- [Docker Security Documentation](https://docs.docker.com/engine/security/security/)
- [Kubernetes Security Best Practices](https://kubernetes.io/docs/concepts/security/overview/)
- [TeamTNT Threat Analysis by Trend Micro](https://www.trendmicro.com/en_us/research/20/j/teamtnt-targeting-docker-systems-using-weak-credentials.html)
