Cybercriminals are now targeting vulnerable and exposed Docker containers to deploy cryptojacking campaigns. Research by security firm Imperva showed that attackers relied on the Docker's API to sneakily mine cryptocurrency.
The exposed Docker ports were found through the Shodan search engine. Generally, these open ports are required for third-party platforms such as Portainer to manage Docker containers.
Misconfiguring servers can prove costly
Imperva emphasized that many organizations fail to configure their Docker services regularly.
“The Docker remote API listens on ports 2735 / 2736. By default, the remote API is only accessible from the loopback interface (“localhost”, “127.0.0.1”), and should not be available from external sources. However, as with other cases — for example, publically-accessible Redis servers such as RedisWannaMine — sometimes organizations are misconfiguring their services, allowing easy access to their sensitive data.” said the company.
How to protect Docker containers?
It is suggested that Docker containers be protected against such attacks by taking the right measures. This can be done by enabling TLS verification and then directing the Docker container's 'tlscacert' flag to a trusted CA certificate. This way, the Docker will communicate securely. More details about this about this can be found in the Docker documentation.