Cybersecurity researchers have disclosed a new, sophisticated cryptojacking campaign that targets the Docker Engine API to hijack cloud resources and create a malicious Docker Swarm botnet.
In a detailed Datadog Security Research analysis, attackers exploit unauthenticated and exposed Docker Engine API endpoints to deploy cryptocurrency miners on compromised containers. By leveraging Docker Swarm's orchestration features for command-and-control (C2) purposes, the attackers effectively turn compromised systems into coordinated botnets.
This Threatfeed delves into the mechanics of the critical cryptojacking attack, the tools, and scripts leveraged by the threat actors, and provides comprehensive recommendations for safeguarding against such threats.
Understanding the Attack Vector
Initial Access via Exposed Docker APIs
Attackers initiate the campaign by scanning the internet for exposed Docker Engine API endpoints using tools like masscan (a fast port scanner) and ZGrab (an application layer scanner). These endpoints, typically listening on ports 2375, 2376, 2377, 4243, and 4244, can be unauthenticated and, if misconfigured, provide root-level access to the host.
Quote from Datadog's Report:
> "We have discovered a new cryptojacking campaign targeting Docker Engine API, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers." — Datadog Security Research
Deployment of Malicious Containers
Once an exposed API is found, the attackers spawn an Alpine Linux container with the host's filesystem mounted inside. This container retrieves an initialization shell script (`init.sh`) from a remote server (`solscan[.]live`). The script performs several actions:
- Ensures data transfer tools like `curl` and `wget` are installed.
- Checks for root privileges.
- Downloads and executes the XMRig miner for cryptocurrency mining.
- Installs a custom libprocesshider rootkit to hide malicious processes.
Hiding Malicious Activity
The libprocesshider rootkit is employed to conceal the XMRig miner process from system monitoring tools like `top` and `ps`, making it difficult for administrators to detect unusual activity.
Lateral Movement and Propagation
Additional Payloads and Scripts
The `init.sh` script also fetches additional scripts for lateral movement:
- `kube.lateral.sh`: Targets Kubernetes environments.
- `spread_docker_local.sh`: Scans local network ranges for other Docker hosts.
- `spread_ssh.sh`: Attempts to spread via SSH by adding authorized keys and creating new users.
Targeting Kubernetes with `kube.lateral.sh`
The script disables security measures like firewalls and SELinux before scanning local network ranges for open Kubelet API ports (10250). If vulnerable Kubernetes nodes are found, it can execute commands to deploy the miner on pods running on those nodes.
Scanning and Exploitation with `spread_docker_local.sh`
- Uses `masscan` and `zgrab` to find hosts with open Docker-related ports.
- Deploys malicious containers on discovered hosts using images hosted on Docker Hub by user nmlmweb3.
- The images execute `init.sh`, propagating the malware.
SSH Backdoors with `spread_ssh.sh`
- Scans for SSH servers on the local network.
- Adds a new SSH key and creates a new user named ftp with root privileges.
- Searches for credential files related to SSH, AWS, Google Cloud, and Samba, particularly targeting GitHub Codespaces environments.
- Uploads any found credentials to the C2 server.
Manipulating Docker Swarm with `TDGINIT.sh`
- Forces compromised Docker hosts to leave existing Swarms.
- Joins them to a new Swarm controlled by the attacker using a predefined token.
- Allows attackers to use Docker Swarm's orchestration for C2, issuing commands across all compromised nodes.
Persistence Mechanisms
Process Hiding and Dynamic Linker Hijacking
- Uses Dynamic Linker Hijacking by modifying `/etc/ld.so.preload` to ensure the rootkit is loaded for every new process.
- Hides the XMRig miner process, preventing detection.
Cron Jobs and Immutable Files
- Installs cron jobs to maintain persistence.
- Uses the `chattr +ai` command to make backdoor files immutable, preventing their removal or modification.
Broader Implications
Threat to Cloud Infrastructure
This campaign highlights significant risks:
- Resource Drain: Cryptocurrency mining consumes substantial CPU and memory resources, affecting performance and increasing costs.
- Security Risks: Attackers with root access can exfiltrate data, install additional malware, or use the infrastructure for further attacks.
- Botnets: Compromised hosts can be coordinated for distributed denial-of-service (DDoS) attacks or other malicious activities.
Potential Attribution to TeamTNT
While some tactics resemble those of TeamTNT, a known threat group specializing in cloud-focused attacks, definitive attribution remains uncertain.
Recommendations for Prevention and Mitigation
- Secure Docker API Endpoints:
- Do not expose the Docker Engine API to the internet.
- Secure it with TLS authentication and firewall rules.
- Regularly Update and Patch Systems:
- Keep Docker, Kubernetes, and associated services updated.
- Apply security patches promptly.
- Monitor Network Traffic and Logs:
- Use intrusion detection systems (IDS) to monitor for unusual activity.
- Be alert for large outbound traffic volumes indicative of cryptomining or data exfiltration.
- Regularly check system logs for unauthorized modifications.
- Implement Principle of Least Privilege:
- Limit user permissions and avoid running containers as root when possible.
- Use role-based access control (RBAC) in Kubernetes.
- Use Security Tools and Best Practices:
- Employ tools like Docker Bench Security to assess the security posture.
- Utilize cloud security posture management (CSPM) solutions for continuous monitoring.
- Enable logging and monitoring features in Docker and Kubernetes.
- Educate and Train Staff:
- Ensure that DevOps and IT teams are aware of security best practices for containerized environments.
- Conduct regular security awareness training.
- Audit and Secure Credentials:
- Regularly audit credentials and keys stored in environments like GitHub Codespaces.
- Use secrets management tools to store sensitive information securely.
Conclusion
The discovery of this cryptojacking campaign underscores the critical need for securing containerized environments. Exposed Docker APIs and misconfigured Kubernetes clusters present significant risks, enabling attackers to mine cryptocurrency and establish botnets for broader malicious activities.
Organizations must proactively secure their Docker and Kubernetes environments, regularly audit configurations, and stay informed about emerging threats. By implementing robust security measures and educating staff, the risk of such attacks can be significantly mitigated.
Indicators of Compromise (IOCs)
- `init.sh`, `kube.lateral.sh`, `spread_docker_local.sh`, `spread_ssh.sh`, `ar.sh`, `TDGINIT.sh`, `pdflushs.sh`
- Use of `libprocesshider` rootkit
- `solscan.live`
- `147.75.47.199`
- Docker Hub user `nmlmweb3`
- Docker ports: 2375, 2376, 2377, 4243, 4244
- Kubernetes Kubelet API port: 10250
- SSH port: 22
References