An obvious operational safety slip-up by a member of the TeamTNT risk group has uncovered a few of the techniques it is utilizing to take advantage of poorly configured Docker servers.
Safety researchers from Development Micro lately arrange a honeypot with an uncovered Docker REST API to try to perceive how risk actors usually are exploiting vulnerabilities and misconfigurations within the broadly used cloud container platform. They found TeamTNT — a gaggle identified for its cloud-specific campaigns — making at the very least three makes an attempt to take advantage of its Docker honeypot.
“On one in all our honeypots, we had deliberately uncovered a server with the Docker Daemon uncovered over REST API,” says Nitesh Surana, risk analysis engineer at Development Micro. “The risk actors discovered the misconfiguration and exploited it thrice from IPs primarily based in Germany, the place they have been logged in to their DockerHub registry,” Surana says. “Based mostly on our commentary, the motivation of the attacker was to take advantage of the Docker REST API and compromise the underlying server to carry out cryptojacking.”
The safety vendor’s evaluation of the exercise ultimately led to uncovering credentials for at the very least two DockerHub accounts that TeamTNT managed (the group was abusing DockerHub free Container Registry companies) and was utilizing to distribute quite a lot of malicious payloads, together with coin miners.
One of many accounts (with the identify “alpineos”) hosted a malicious container picture containing rootkits, kits for Docker container escape, the XMRig Monero coin miner, credential stealers, and Kubernetes exploit kits.Â
Development Micro found the malicious picture had been downloaded greater than 150,000 occasions, which may translate into a large swath of infections.
The opposite account (sandeep078) hosted an identical malicious container picture however had far fewer “pulls” — nearly 200 — in contrast with the previous. Development Micro pointed to a few situations that probably resulted within the leak of the TeamTNT Docker registry account credentials. These embrace a failure to logout from the DockerHub account or their machines being self-infected.
Malicious Cloud Container Photographs:Â A Helpful Function
Builders typically expose the Docker daemon over its REST API to allow them to create containers and run Docker instructions on distant servers. Nonetheless, if the distant servers are usually not correctly configured — as an example, by making them publicly accessible — attackers can exploit the servers, Surana says.
In these cases, risk actors can spin up a container on the compromised server from photographs that execute malicious scripts. Sometimes, these malicious photographs are hosted on container registries corresponding to DockerHub, Amazon Elastic Container Registry (ECR), and Alibaba Container Registry. Attackers can use both compromised accounts on these registries to host the malicious photographs, or they’ll set up their very own, Development Micro has beforehand famous. Attackers may host malicious photographs on their very own non-public container registry.Â
Containers which can be spun up from a malicious picture can be utilized for quite a lot of malicious actions, Surana notes. “When a server working Docker has its Docker Daemon publicly uncovered over REST API, an attacker can abuse and create containers on the host primarily based on attacker-controlled photographs,” he says.
A Plethora of Cyberattacker Payload Choices
These photographs might comprise cryptominers, exploit kits, container escape instruments, community, and enumeration instruments. “Attackers may carry out crypto-jacking, denial of service, lateral motion, privilege escalation, and different methods throughout the surroundings utilizing these containers,” in response to the evaluation.
“Developer-centric instruments like Docker have been identified to be abused extensively. It’s vital to coach [developers] at massive by creating insurance policies for entry and credential use, in addition to generate risk fashions of their environments,” Surana advocates.
Organizations also needs to be certain that containers and APIs are at all times correctly configured to make sure that exploits are minimized. This consists of making certain that they’re accessible solely by the inner community or by trusted sources. As well as, they need to observe Docker’s tips for strengthening safety. “With the rising variety of malicious open supply packages concentrating on person credentials,” Surana says, “customers ought to keep away from storing credentials in recordsdata. As a substitute, they’re suggested to decide on instruments corresponding to credential shops and helpers.”Â