Insight into How Attackers Leverage Docker Security against You

Fun fact: If you leave an API or vulnerable application exposed on the internet, it will get hacked. Docker Daemon APIs left unsecured are quickly getting compromised by cryptomining malware.

When simply configuring the Docker daemon for remote management, the Docker service creates a listener on port 2375 that offers unauthenticated full control of your Docker instance. This is textbook hygiene issue, the API should be authenticated and protected by network ACLs.  We have seen Docker instances that have been forced to run malicious cryptocurrency mining malware by leveraging the exposed and unauthenticated API.

There are a number of containers available on hub.docker.com that enable the user to easily mine cryptocurrency and those can be used to mine for both good and evil. These containers are often leveraged in cryptomining attacks, but there are those that are preconfigured to mine for a particular wallet, and are obviously malicious in nature. We will look at both of those below, and how they are used to hijack your computing resources for the attacker’s gain.

Investigating a reported cryptomining attack

There are numerous anecdotal reports on tech forums regarding compromised Docker instances. One such report came via one such forum last October. A User there reported their Docker server was compromised, and that it was used to mine cryptocurrency. In some ways this falls under the “Of course, exposed API / vulnerable application gets hacked” category, but the actual delivery mechanisms leave behind some interesting artifacts. We can’t say for sure that this specific container was used in an attack as we were not in a position to directly observe it, but we can take the user at their word, and explore what this sort of attack looks like.

After gaining access to the Docker server, the attacker downloaded a preconfigured coin miner directly from hub.docker.com that was configured to mine directly to the attacker’s wallet. This config is based on the commonly-used lightweight Alpine Linux base.

Container Definition on Hub.Docker.Com

This container definition leads us further to the Github repository that is used for automated builds on Docker Hub. By reviewing the commit history, we can see the attacker updating the configuration and even experimenting with different coins. 

Commit history for Dockerfile

Github Commit changing target pool and currency from Monero to Aeon.

This particular Docker config isn’t the only thing that our attacker is working on, as of April 6, our attacker has set up new repositories, and switched his Docker base from Alpine to Ubuntu 16.04, and using the “–av=2” switch that is used for low-power mining on virtual CPUs.

Newly committed repository indicating shift to Ubuntu base OS.

The configured wallet and pool lead us directly to activity against that wallet. Judging from his or her overall activity with Monero, we see that the attacker has been fairly successful, having mined 175 Monero (Approx $35,000 USD) from this pool.

Historical Hashrate for configured wallet

Vulnerable APIs put you at risk of cryptomining

In real world tests of intentionally deployed vulnerable Docker configurations, we observed that our instances were compromised hours after deployment. We observed that our instances were used to download the Minergate mining software from hub.docker.com.

The software was launched with the attacker’s login information in the command line. Using the Docker client from his machine the attacker was able to quickly deploy a malicious container to our instance using the same command line tools that make managing Docker easy.

Network capture of attack downloading Minergate Docker container

The moral of the story is don’t deploy vulnerable Docker configurations. Cybercriminals have an array of automated tools to scan for and detect insecure APIs and exposed vulnerabilities. The same tools that make it easy for you to manage and deploy Docker environments, and the same tools that allow you to mine for cryptocurrency yourself can also be used against you by attackers who want to hijack your environment to mine cryptocurrency for their own financial gain.