Hackers Exploiting Docker Swarm, Kubernetes, & SSH Servers

In 2024, API attacks are at an all time high and every day we see news about recent breaches, vulnerabilities and other malicious activity in the cyber landscape. 

In the past, we’ve reported on crypto mining campaigns using exposed docker APIs as an attack vector. Today we’ll look at how these campaigns have been targeting Docker Swarm, Kubernetes, and Secure Shell (SSH) servers. 

Attack Flow

In order to exploit the platforms, attackers begin by sending commands to exposed docker APIs. They find these vulnerable endpoints using Internet scanning tools such as msscan and zgrab.

Threat actors employ a “multi-stage approach,” initially exploiting exposed “Docker API endpoints” to gain access.⁤ -Datadog 

Once they find an exposed endpoint, the hackers use the Docker API to spawn an Alpine container and execute a shell command to initiate the infection chain.

To conceal their actions, hackers use a process obfuscater compiled as a Linux shared object file from the command & control (C2) server, a technique known as Dynamic Linker Hijacking.

Analysis of this campaign also revealed a Docker Hub user operated by the threat actors.

The hackers deploy malicious payloads to facilitate lateral movement and resource hijacking across the platforms in question. For instance, one of the payloads was used to identify and compromise Kubernetes’ kubelet API. 

This lateral movement technique is similar to the one used by attackers in 2021 to exploit Trend Micro in a campaign attributed to TeamTNT. The threat actors use a third shell script to identify and compromise SSH servers on the local network.

From inside, the malware shuts down ‘security features’ and adds ‘mining programs.’

This is far from the first time crypto mining software and Docker Hub have been leveraged to launch attacks on other platforms. However, what is unique about this approach is the use of Docker Swarm. 

After entering the network, the script forces the existing host to leave a Swarm and join a new Swarm controlled by the threat actor using a predefined token. 

This allows the hacker to expand their control over multiple Docker instances at once.

Takeaways:

Platforms like Docker Swarm, Kubernetes, and SSH servers continue to be vulnerable to outside attack through a variety of orchestrated methods, including the method employed by this attack group using exposed and vulnerable Docker APIs. 

However, in order for these attacks to happen in the first place, the bad actors need an existing vulnerability, specifically an exposed endpoint (what security experts commonly refer to as “low hanging fruit”) to gain entry in the first place.

So, as usual, it is a matter of maintaining vigilance over their API landscape and keeping track of all API endpoints, including those no longer in use. API security is confusing, especially as it is constantly changing and evolving, but FireTail can help. 

Get full visibility into your API landscape and check all your endpoints for vulnerabilities proactively with FireTail. To see how it works, schedule a demo or try it out for free yourself, today.