Securing Containers Against Increased Cryptojacking Attacks
- A quick search by researchers using a port-scanning service revealed that around 6,000 IP addresses could be hosting vulnerable installations of Docker.
- Securing against emerging threats that can compromise the cloud environment during runtime poses a major challenge for organizations.
Containers are among the most essential technologies in DevOps known for the speed and efficiency it offers during the development process, while maintaining consistency across the board.
However, such agility also exposes organizations to potential risks.
New container threat
A threat actor group was recently found targeting insecure containers, exposed due to misconfigurations in the Docker API.
- Researchers stumbled upon a cloud-based cryptomining malware called ‘Kinsing’ that targets thousands of Docker systems to run a Bitcoin miner.
- The research team said that Containers allowing Docker commands to be executed without authentication are at risk.
- A quick search using a port-scanning service revealed that around 6,000 IP addresses could be hosting vulnerable installations of Docker. The volume of attacks suggests that it is an aggressive attack campaign since much effort is required into scanning the Internet on a daily basis.
- Also, in the first week of April 2020, a report revealed that a malicious botnet has been targeting Microsoft SQL database servers for the last two years to mine cryptocurrency.
- The hackers had managed to infect a significant number of servers, ranging from 2,000 to 3,000, on a daily basis.
Other cryptojacking attacks through Containers
Over the years, we have seen cryptojacking attacks affecting various kinds of devices but recently, hackers have resorted to Containers to channelize their attacks and quickly infect additional systems.
Security teams can learn about their attack tactics from previous attack campaigns such as:
- Researchers found a new cryptojacking worm, dubbed “Graboid,” that spreads using Containers in the Docker Engine and was deployed to mine Monero coins.
- An API misconfiguration in Docker Engine-Community allowed attackers to infiltrate Containers and run a variant of the Linux botnet malware AESDDoS.
- Last year, a group of researchers revealed Containers caught in malicious trap coming from a publicly accessible Docker Hub repository named “zoolu2” that contained the binary of a Monero (XMR) cryptocurrency miner.
- Researchers detected "Xulu", a mining botnet, that deployed malicious Docker Containers on victim hosts by exploiting Docker's remote API.
- Hundreds of attackers exploited the exposed Docker remote API to mine a growing cryptocurrency for financial benefits.
- A team of researchers came across an infection in the wild that searched for misconfigured publicly exposed Docker services and infected them with Containers that run Monero miners.
- Security experts discovered malicious activities on the systems running misconfigured Docker Engine-Community with its API ports exposed.
In 2018, it was reported that seventeen malicious Docker Containers earned cryptomining criminals $90,000 in a span of just 30 days.
Various threats attackers exploit to compromise Containers
- Default configuration during image creation: It is one of the most common mistakes. During image creation, users often install an application with its default configuration, ignoring the security aspects.
- Exposed data in docker files: Attackers are always looking for data such as passwords and the private portions of SSH encryption keys in Dockers. Even default passwords for an account is a big risk.
- Unreliable third-party sources: Hackers have been dropping malicious codes on public platforms such as a GitHub repository to target unsuspecting users. This opens up the container to potential attacks.
- Exposed applications and ports: Deployed applications can be exploited through SQL injection, cross-site scripting, brute-force attacks, and remote file inclusion. Exposed ports in applications can also lead to API abuse.
- Non-update vulnerable images: Container images need to be regularly updated. Older infected images (with vulnerabilities or bugs) could be exploited by hackers for malicious attacks.
Besides this, misconfigured security controls, mismanaged credentials, and unauthorized access to containers, are some of the other threats affecting Container security.
Why Container security should be prioritized?
Gartner predicted that, by the year 2022, more than 75% of organizations globally will be running containerized applications in production. Organizations must understand that this will give rise to gaps in Container security risks. Also, addressing issues later in the development life cycle negatively impacts the pace of cloud adoption.