BlackHat 2017: Multi-Stage Attack Targeting Container Developers

BlackHat 2017: Multi-Stage Attack Targeting Container Developers

In just about a week we will be live on stage at BlackHat 2017 with this tersely titled talk: Well that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers, and we are very excited.

In this talk we explore in detail an attack on developers who have Docker installed on their machine. We’ll be showing how it works on Docker for Windows users. The attack endgame is a persistent random code execution within the enterprise’s network, practically undetectable by existing security products from the host point of view.

We will do that by introducing two new forms of attacks: Host Rebinding and Shadow Containers. Host Rebinding is used to bypass the Same Origin Policy of browsers, while Shadow Containers is a persistency technique on the hypervisor running containers. Each of those attacks are useful on their own, while the ‘Host Rebinding’ attack is not even limited to containers environment.

Whitepaper: How Abusing Docker API Led to Remote Code Execution

If you think an attack on developers is not a real risk to your organization, think again.

An attack on a container developer has two angles: one is obvious, the other less so. The obvious one is the developer’s level of access to enterprise resources. Developers usually have a relatively high level of access privileges at their workstation, in many cases administrative privileges. For starters, they naturally have access to source code and SCM systems, test databases (which may contain copies of production data), test environments, etc. But in many cases, especially in DevOps environments, they may also have access to production.  Developers often need to perform operations which might look malicious, and for that reason security controls may either be turned off, or tuned to ignore these false positives.

The less obvious angle is that once an attacker gains control of a container developer workstation, he also gains the ability to pollute images built by the container developer. This in turn may enable the attacker to extend his control to production containers. We call this a “Shadow Worm”.

blackhat 2017

Image 1: ‘Shadow worm’ in the development pipeline

While the attack we show is a complex and multi-stage one, it’s not theoretical and should be treated as a serious risk. Obviously, we will not be leaving you helpless and we’ll finish with discussing how such attack can be mitigated.

Michael and Sagie

Michael Cherny

Michael is the Chief Architect at Aqua. Michael has more than 20 years of experience in cyber security. Prior to joining Aqua, he has held senior security research positions at Microsoft, Aorato and Imperva. Michael is a regular speaker at security conferences, among them BlackHat Europe, RSA Europe and Virus Bulletin. He is a connoisseur of single malt Whisky, especially the peaty ones from Islay.