New Cryptomining Campaigns Use Exposed Docker APIs

Researchers from Data Dog have discovered a new kind of attack that targets exposed Docker APIs. The perpetrators who launched this campaign were the same hackers behind Spinning YARN. However, this attack was unique and used a method not yet observed.

The attackers started by scanning for vulnerabilities, in this case, publicly exposed Docker Engine hosts, to gain initial access. They found an exposed Docker API at port 2375 with broken authentication and a security misconfiguration. 

By querying the docker host with GET requests, attackers were able to gain access to information about the server in order to attack it. The attacker then attempts to bind to the root directory of the host itself using an Alpine Linux container to execute malicious shell commands. 

If they succeed, the attacker can elevate their privileges by mounting the host filesystem into the Alpine container they control. Once this is done, the attacker has access to the filesystem through a container managed by the target Docker Engine. To be persistent, they install cronjobs that download additional malware and disable firewalls or other obstacles in the way.

The last step is to modify the Secure Shell protocol to accept connections from specific, attacker-controlled locations. Now, they have all the access and permissions they need to install cryptomining malware.

Although this is the first instance we’ve seen of this type of attack, it may not be the last. Docker APIs are a critical part of many online processes, and if ports are left open as in the case above, attackers can easily access information and effectively take over the Docker host to install malware. 

In our ever-changing cyber landscape, new API attacks are popping up every day. Stay vigilant and learn how you can take charge of your API security with FireTail by booking a demo today here.