Crypto Miners on an exploit of Docker hosts in peril

Vitaly Simonovich and Ori Nakar, Security Researchers with Imperva, shared on 04 March that vulnerable Docker hosts were being exploited by crypto miners.

The duo commenced their blog introducing Docker as a technology that allows operating system level virtualization. The pair conveyed that a large number of companies are running Docker to develop, deploy and run applications inside containers.

Vitaly and Ori shared that the Docker can interact via either the terminal or remote application programming interface (API). They highlighted that although Docker remote API is a great way to control Docker host, this comes at the cost of security. If the control falls into wrong hands, the entire network is at risk.

Vitaly and Ori cited about the danger –

“In February, a new vulnerability (CVE-2019-5736) was discovered that allows you to gain host root access from a docker container. The combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host.”

The pair declared that according to Imperva research, the exposed Docker remote API has already been compromised by hundreds of attackers. Many hackers using the ill-protected hosts are mining cryptocurrency Monero for their financial benefit. They highlighted that Monero transactions are jumbled up which prevents tracking the source, amount or destination of a transaction.  

HACKERS ARE RESORTING TO NOVEL TECHNIQUES TO MINE DIGITAL COINS. AN ACTIVITY TO BE CRACKED DOWN.

Vitaly and Ori continued to express the mitigation steps by sharing knowledge on publicly exposed Docker hosts, the risks they pose to organizations and protection methods. The pair conveyed that 3,822 Docker hosts with the remote API are exposed publicly. Out of this number, 400 IP addresses are accessible.

The pair further expressed concern stating that hacked Docker hosts are not restricted to mining but pose many other dangers. They can be used to launch more attacks with masked IPs, create a botnet or steal credentials and data. Vitaly and Ori substantiated this claim with script examples in their blog.

Vitaly and Ori concluded in their blog reiterating on the peril of exposed Docker API. While noting that exposed Docker ports are beneficial for some third-party apps, they emphasized that only trusted sources must be able to interact. They conveyed that Imperva is going to release a cloud discovery tool to help stakeholders in the security space to ensure robust safety.