By David Fiser, Jakub Urbanec and Jaromir Horejsi
Misconfiguration is not novel. However, cybercriminals still find that it is an effective way to get their hands on organizations’ computing resources to use for malicious purposes and it remains a top security concern. In this blog post, we will detail an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant (detected by Trend Micro as Backdoor.Linux.DOFLOO.AA) of the Linux botnet malware AESDDoS caught by our honeypots.
Docker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which runs with root permission, will execute. Allowing external access — whether intentionally or by misconfiguration — to API ports allows attackers to gain ownership of the host, giving them the ability to poison instances running within it with malware and to gain remote access to users’ servers and hardware resources. Previously, we have seen how exposed Docker hosts can be taken advantage of by cybercriminals, such as deploying cryptocurrency-mining malware.
[READ: Container Security: Examining Potential Threats to the Container Environment]
The attack
In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon. Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec com ..
Support the originator by clicking the read the rest link below.
