In a new report Unit42 of Palo Alto Networks researchers present results of a study of one honeypot that resembles a misconfigured Docker daemon.
Researchers collected data from March to April 2021, analyzed 850 distinct attacks with 33 distinct payloads. More than 75% of them were cryptojacking attacks, and Kinsing was the most common malware with 360 attacks. They provide insights on how frequently the Docker instance was attacked and detail payloads that were employed in each attack.
Docker Hub is the world’s largest repository of container images with a large community of developers and open source projects building and distributing their code in containers.
Misconfigured Docker daemons are a well-known security problem. Misconfigured daemons give remote attackers full access over a Docker instance, enabling them to install new containers and even push to the host.
Some time ago, Unit42 discovered that there were over 1,400 insecure Docker web servers, which gave rise to a cryptojacking malware like Cetus, Pro-Ocean, Graboid, and Black-T.
The Docker daemon exposes a RESTful API that enables users to interact with the daemon. Configuring the daemon to listen on a TCP socket requires remote access. There is no authentication or authorisation method by default when utilizing a TCP socket, so anyone with access to the daemon has full privileges.
During the 50-day test period, Unit42 researchers discovered that the honeypot was being attacked about every 90 minutes.
Multiple threat actors try to use this loophole. Attackers appear to realize this, and build their malware to recognize and stop competitor’s malware, so that they will be the only malware in the system.
Most attacks were for cryptocurrency mining. Others had more advanced functionalities:
- concealment of cryptomining activities
- stopping other malware
- propagating to other machines
- gathering information
- establishing C2 communication
Some attacks had only one goal: to collect information and transfer it to a remote site or to launch DDoS or botnet agents.
Research showed Kinsing malware was the most common accounting for a total 360 attacks.
Of the five most-common attacks, TeamTNT is responsible for three – Cetus, TeamTNT Botnet1, and TeamTNT Botnet2.
One of the variants of a TeamTNT’s botnet can propagate over misconfigured Docker instances. It discovers Docker instances that are misconfigured and then sends the vulnerable IP to a C2 server for exploitation.
Docker misconfigured daemons are an age-old security problem that hackers exploit. Researchers noted that attackers see the profitability of exploiting cloud environment and increasingly design malware to target the cloud.