Stealing Infrastructure: Cryptomining Attacks on Container Environments

Usually the target is data and the goal is theft. But thieves are expanding their horizons and aiming to cash in elsewhere. A new target recently exposed by researchers at Aqua Research is computing resources: The team says containers are being commandeered for cyptocurrency mining, or cryptomining.

“We think that the main reason containers are an increasingly popular target for this kind of attack is because containers make it very easy to deploy malware automatically and, with luck, at scale,” said Michael Cherny, head of Security Research at Aqua. “The attacker doesn’t need to alter the environment, implement complex install scripts, etc. If he can run a container, a single Docker/Kubernetes/DC/OS API call can deploy more miners and make sure they’re persistent.”

The researchers say this isn’t a Docker vulnerability they’ve found that malicious actors can exploit. Rather, it’s a spin on the old “left the barn door open after deployment” story. It’s a general failure to secure container environments that leads to this type of attack.

Docker works in a client-server architecture wherein a client sends a command through Docker’s REST API to a docker daemon, which runs in the background and handles container management. Users can elect to configure the daemon to be exposed to the network via TCP socket. That exposure must be protected at minimum by a HTTPS configuration and enforced authentication. The honeypot the researchers used to attract attackers and study the anatomy of such an attack was simply exposed docker daemons.

The ease in container hijacking attracts cryptomining script kiddies, but more skilled attackers may tap into computing resources, too.

“When we started our research, it took less than 48 hours for a cryptominer to find our ‘randomly exposed’ machine in the cloud and attempt an attack. So clearly, cryptomining attacks are becoming increasingly targeted at container deployments, though more sophisticated attacks may be less frequent and less obvious,” Cherny said.

There’s also little risk in getting caught.

The researchers warned that unless the attacker gets greedy and uses too many containers or runs them at high CPU usage rates, victims are unlikely to ever see the attack. That is especially true if the attacking container is deployed to a development or test environment, which are rarely monitored as closely as production environments.

It’s not the worst of attacks, by a long shot, but it can lead to other forms of attacks. “If an attacker can run a rogue container that mines for bitcoin, they can probably run containers that do worse things,” Cherny said. Of course, that’s not to say that attacks on containers have zero costs for victims.

“From the cryptomining point of view, the hard costs are cloud charges for CPU and data, or electricity for on-premises installations. If the crypto-hijacking turns into full-blown data breach, then that’s a different story. But generally speaking, compared to other kinds of breaches, the financial costs are relatively low.  Most cryptominers are looking to steal resources, not data,” explains Cherny.

The moral of the story is to secure containers, which is easier to do than with a lot of other systems. Indeed, containers have thwarted Spectre and Meltdown attacks, but that doesn’t mean you can relax your guard.

To protect against cryptocurrency miners, the researchers recommend blocking outbound network connections as that makes the mining exercise pointless. They also recommend regular scans for vulnerabilities and the use of approved images only.

Pam Baker