Some 2,000 Docker hosts have been attacked and infected by a relatively basic worm that exploits misconfigured permissions to download and run cryptojacking software as malicious containers.
Network security firm Palo Alto Networks in a report today said that despite its "inept" programming, the so-called Graboid worm has been successful: it searches for unsecured docker daemons, uses the access to the Docker host to install malicious images from the Docker Hub, and then runs scripts downloaded from a command-and-control (C2) server. Among the scripts are a cryptomining program that "mines" — or attempts to generate — the Monero cryptocurrency. Each miner is active about 63% of the time, according to Palo Alto.
The worm is not exploiting a vulnerability, but a lack of proper security settings, says Jen Miller-Osborn, deputy director of Palo Alto Networks' Unit 42 threat intelligence group.
"The issues is a lack of updating any of the initial security settings," she says. "The initial point of entry into the Docker host is there because none of the settings were changed. The front door is basically open on these systems."
Cryptomining and cryptojacking have become favored tactics of online attackers as a way of easily monetizing compromised systems, and continues to be used even as the price of cryptocurrencies have declined from their highs of December 2017 and January 2018. Cryptomining through malware and cryptojacking, where resources are used without the owner's authorization, are often used as way to generate a small amount of money from systems that would otherwise not be valuable to attackers.
Initially, cryptojacking often involved running JavaScript inside the browsers of visitors to compromised sites. Using co-op ..
Support the originator by clicking the read the rest link below.
