Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks

Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.

Cybercriminals are ramping up their attacks on the Docker Engine — the software foundation of the container infrastructure used by many cloud-native companies. Researchers flagged a pair of cyber campaigns this week that showcase the increasing risk, including a compromise aimed at launching denial-of-service (DoS)) attacks on Russian targets.

On May 5, researchers at cloud-management platform Uptycs said that attackers compromised the firm’s honeypot, a Docker server configured to allow connections through the remote Docker API. The attacks resulted in the cybercriminals installing crypto mining software and creating a reverse shell, which would have allowed them to explore the server in real-time.

The company has detected 10 to 20 attempts to compromise the honeypot server every day, suggesting that attackers have increased their interest in Docker-based infrastructure, says Amit Malik, director of threat research at Uptycs.

“We configured one of our machines as a honeypot, and within three hours, we saw it compromised, so we had to shut it down and rebuild it,” Malik says. “The infection point is very rapid.

The attacks on Uptycs’ Docker-based infrastructure are not unique. The incidents are happening to other companies as well.

Unwitting Hosts to Hostile DoS Activity Against Russia
Honeypots maintained by cybersecurity services firm CrowdStrike experienced similar attacks through the Docker remote API, generally assigned to port 2375 or 2376, according to an analysis of an attack posted on May 4

CrowdStrike researchers revealed that attackers compromised its honeypots through the open Docker API and then installed two malicious container images that were used to attack Russian and Belarusian sites.

The target lists include the websites of the Russian and Belarusian governments, military, media, and retail sectors, as well as Russian mining, manufacturing, chemical, and technology sectors, according to CrowdStrike.

Both DoS-enabling containers are hosted on Docker Hub. One of the images has been downloaded more than 100,000 times; the second has been downloaded 50,000. CrowdStrike researchers noted that the portion of these downloads that originated from compromised machines is unknown.

The use of compromised infrastructure has far-reaching consequences for organizations that may unwittingly be participating in hostile activity against the Russian government, military, and civilian targets, the firm warned. Any investigation into the attack by Russian intelligence will likely point back to the victim’s server, says Adam Meyers, vice president of intelligence at CrowdStrike.

“It is a little different when they are using your infrastructure to attack a third party,” he says. “If [Russia or Belarus] starts looking at these attacks, they might say, ‘Oh, they are DoSing us, so we will DoS them.'”

Security Needs to Focus on Docker Threats
While Docker is well known in the development and DevOps communities, security professionals may not be as aware of the potential for insecure configurations or vulnerabilities to undermine enterprise security, Meyers says.  Read more:

You can also read this: Cybercriminals Using New Malware Loader ‘Bumblebee’ in the Wild

Leave a Reply

Your email address will not be published. Required fields are marked *