Docker Servers are Infected with Cryptocurrency-Mining Malware

DDoS Attack

Until recently, misconfigured and left exposed online Docker servers have traditionally been targeted with cryptocurrency-mining malware, which has helped criminal groups generate tremendous profits by hijacking the cloud resources of others.

Nonetheless, in a study released this week, Trend Micro ‘s security researchers have discovered what seems to be the first coordinated and ongoing series of attacks against Docker servers infecting misconfigured clusters with DDoS malware.

The two botnets run versions of the XORDDoS and the Kaiji malware strains according to Trend Micro. Both malware operations have a long and well-documented history, particularly XORDDoS, which has long been spotted in the wild.

The two DDoS botnets, however, generally had targeted routers and smart devices, and never had complex cloud setups, such as clusters with Docker.

“XORDDoS and Kaiji were known to exploit telnet and SSH for spreading beforehand, so I see Docker as a new vector that increases the botnet ‘s potential, a green field full of fresh fruit to pick without immediate competitors,” Pascal Geenens, cybersecurity evangelist at Radware.

“Usually, docker containers can have more resources than IoT systems, but they usually operate in a more protected environment and DDoS attacks may be hard to fail for the server,” Geenens said.

“The unique perspective of IoT devices such as routers and IP cameras is that they have unrestricted internet access, but typically have less bandwidth and less horsepower than containers in a compromised environment,”Radware researcher told.

“On the other hand, containers usually have access to far more memory, CPU, and network resources, but network resources may be limited to only one or a few protocols, resulting in a smaller arsenal of DDoS attack vectors enabled by those ‘mega’ bots.”

Nonetheless, these limitations typically do not affect crypto-mining botnets, which just need the outside world to have an open HTTPS web, Geenens said.

But despite the limitations of how a DDoS gang could exploit hacked Docker clusters, Geenens says this won’t deter hackers from attacking this “green field full of fresh fruit to pick” because there are very few vulnerable IoT devices that have not already been compromised, which prompted hackers to start targeting Docker servers.

And on a side note, Geenens has also told that he believes DDoS operators are already acquainted with Docker systems.

Although this is the first time they hack Docker clusters, Geenens claims that hackers also use Docker to handle their own infrastructure for attacks.

“I don’t have any immediate proof, but I’m pretty sure that [Docker’s] automation and agility (DevOps) will benefit legitimate applications in the same way as illegal applications.”

Docker hacks’ most common source is the management interface (API) that is left exposed online without authentication or firewall-protection. This will be a good first thing to find out for readers looking to protect their servers.

Trend Micro also recommends in its report that server administrators protect their Docker deployments by following a set of core steps, outlined here.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.