Recent research from Trend Micro has uncovered alarming tactics employed by cybercriminals targeting Docker remote API servers. These bad actors are deploying the SRBMiner crypto miner on compromised instances, posing significant threats to organizations that fail to secure their Docker environments.
How the Attack Works
The attack begins with a reconnaissance phase, where attackers identify public-facing Docker API hosts. They check for the availability of HTTP/2 protocol upgrades, which allows them to send a connection upgrade request to the h2c protocol—an unencrypted version of HTTP/2. By using this method, they can bypass various security measures.
Once a connection is established, the attackers utilize gRPC methods to manipulate Docker functionalities. These methods allow for a wide range of operations, including health checks, file synchronization, authentication, and secrets management. After successfully processing the connection upgrade, the adversaries send a gRPC request to “/moby.buildkit.v1.Control/Solve” to create a container specifically for mining XRP cryptocurrency using the SRBMiner payload sourced from GitHub.
Evading Security Measures
The researchers emphasize that the attackers’ use of gRPC over h2c is particularly concerning, as it enables them to circumvent multiple layers of security to deploy the mining software. This not only jeopardizes the integrity of the affected Docker hosts but also leads to unauthorized cryptocurrency mining, which can significantly impact system performance and resources.
Additional Exploits
In a related observation, Trend Micro noted that attackers have also been exploiting exposed Docker API servers to deploy the perfctl malware. This campaign involves probing for vulnerable servers, creating a Docker container with the image “ubuntu,” and executing a Base64-encoded payload. This payload includes a shell script that checks for duplicate instances and generates another script to download a malicious binary disguised as a PHP file (“avatar.php”), ultimately delivering a payload named httpd.
Recommendations for Protection
To defend against such attacks, organizations are urged to take several precautions:
- Implement Strong Access Controls: Ensure that Docker remote API servers are not publicly accessible and require robust authentication mechanisms.
- Monitor for Unusual Activities: Regularly inspect Docker environments for any signs of unauthorized access or unusual behavior.
- Adhere to Container Security Best Practices: Follow established guidelines for securing containerized applications and environments.
By adopting these security measures, organizations can mitigate the risks associated with these evolving cyber threats and protect their resources from illicit mining activities. As cybercriminal tactics continue to advance, staying informed and proactive is essential for safeguarding digital infrastructures.
FAQ: Cybercriminals Exploiting Docker API Servers for Crypto Mining Attacks
1. What is the SRBMiner crypto miner?
SRBMiner is a mining software specifically designed for cryptocurrencies, such as XRP. Cybercriminals use it to illicitly mine digital currencies by exploiting compromised systems.
2. How do attackers target Docker remote API servers?
Attackers identify public-facing Docker API servers and check for available HTTP/2 protocol upgrades. They then send a connection upgrade request to h2c, allowing them to bypass security measures and manipulate Docker functionalities.
3. What is the gRPC protocol?
gRPC is a high-performance, open-source RPC (Remote Procedure Call) framework developed by Google. It enables efficient communication between applications, allowing attackers to execute various Docker commands when exploited.
4. What are the risks associated with these attacks?
Compromised Docker hosts can lead to unauthorized resource usage for mining cryptocurrencies, impacting system performance. Additionally, it can expose sensitive data and other vulnerabilities within the Docker environment.
5. What is the perfctl malware mentioned in the report?
Perfctl is another type of malware that attackers deploy by exploiting Docker API servers. It executes a series of malicious payloads that can further compromise the affected systems.
For regular updates on hacker and cyber security news follow our website.