Securing Containers Against Increased Cryptojacking Attacks

• A quick search by researchers using a port-scanning service revealed that around 6,000 IP addresses could be hosting vulnerable installations of Docker.
• Securing against emerging threats that can compromise the cloud environment during runtime poses a major challenge for organizations.

New container threat

• Researchers stumbled upon a cloud-based cryptomining malware called ‘Kinsing’ that targets thousands of Docker systems to run a Bitcoin miner.
• The research team said that Containers allowing Docker commands to be executed without authentication are at risk.
• A quick search using a port-scanning service revealed that around 6,000 IP addresses could be hosting vulnerable installations of Docker. The volume of attacks suggests that it is an aggressive attack campaign since much effort is required into scanning the Internet on a daily basis.
• Also, in the first week of April 2020, a report revealed that a malicious botnet has been targeting Microsoft SQL database servers for the last two years to mine cryptocurrency.
• The hackers had managed to infect a significant number of servers, ranging from 2,000 to 3,000, on a daily basis.

Other cryptojacking attacks through Containers

• Researchers found a new cryptojacking worm, dubbed “Graboid,” that spreads using Containers in the Docker Engine and was deployed to mine Monero coins.
• An API misconfiguration in Docker Engine-Community allowed attackers to infiltrate Containers and run a variant of the Linux botnet malware AESDDoS.
• Last year, a group of researchers revealed Containers caught in malicious trap coming from a publicly accessible Docker Hub repository named “zoolu2” that contained the binary of a Monero (XMR) cryptocurrency miner.
• Researchers detected "Xulu", a mining botnet, that deployed malicious Docker Containers on victim hosts by exploiting Docker's remote API.
• Hundreds of attackers exploited the exposed Docker remote API to mine a growing cryptocurrency for financial benefits.
• A team of researchers came across an infection in the wild that searched for misconfigured publicly exposed Docker services and infected them with Containers that run Monero miners.
• Security experts discovered malicious activities on the systems running misconfigured Docker Engine-Community with its API ports exposed.

Various threats attackers exploit to compromise Containers

• Default configuration during image creation: It is one of the most common mistakes. During image creation, users often install an application with its default configuration, ignoring the security aspects.
• Exposed data in docker files: Attackers are always looking for data such as passwords and the private portions of SSH encryption keys in Dockers. Even default passwords for an account is a big risk.
• Unreliable third-party sources: Hackers have been dropping malicious codes on public platforms such as a GitHub repository to target unsuspecting users. This opens up the container to potential attacks.
• Exposed applications and ports: Deployed applications can be exploited through SQL injection, cross-site scripting, brute-force attacks, and remote file inclusion. Exposed ports in applications can also lead to API abuse.
• Non-update vulnerable images: Container images need to be regularly updated. Older infected images (with vulnerabilities or bugs) could be exploited by hackers for malicious attacks.

Why Container security should be prioritized?