Trend Micro Attacks on Cryptomining Docker

Feb. 26, 2021, 7:57 p.m.

TL;DR

In a recent occurrence of events, it is made known that within a Docker container, a malicious payload was encountered; the payload was specifically designed to escape from a privileged container in a way that would allow malware to infect all the workloads running on a host machine.

Many of the attacks found included the manipulation of images of containers to execute malicious functions

Key Facts

1
In 2013, Docker Inc. was founded to support a commercial edition of the software for container management and to be the key supporter of an open-source version.
2
A 2019 survey shows that 89 percent of software developers agree that microservices are vital for businesses in an ever-changing digital environment to stay competitive. Thus, an increasing number of enterprises and organizations adopting the microservice architecture for simplicity and flexibility.
3
Malicious actors are targeting and discovering new ways to compromise containers and cloud environments with popular DevOps technologies.

Details

Cryptocurrency, in the last few months, has been making the headlines in major news updates. However, in both the literature and in the wild, a new cybersecurity attack, where an attacker secretly runs crypto-mining software over the computers of unaware users, is developing. Given the simplicity of running a crypto-client into a target system, this attack, known as cryptojacking, has proved to be very effective.

As many users want much profit from the crypto sphere, unfortunately, threat actors now target docker via container escape features. Docker, an open-source software framework for the development, deployment, and management of virtualized application containers, with an ecosystem of allied resources, on a common operating system (OS).

Any type of crypto-jacking malware used by cybercriminals to suddenly mine digital currency is usually required in most of the compromises involving Docker containers (at least those that have been disclosed). Many IT professionals tend to view these breaches as the digital equivalent of a victimless crime, especially when a cloud service provider belongs to the infrastructure that is compromised.

A wide variety of possible risks to DevOps pipelines have resulted from increased container adoption. Many of the attacks found included the manipulation of images of containers to execute malicious functions. Recently, Prevasio, a start-up in cybersecurity, reported that it has completed the scanning at Docker Hub of 4 million container images. There are critical vulnerabilities in almost 51 percent of the images, and nearly 6,500 of them can be considered malicious.

Prevasio's research indicated that, in particular, the Linux OS and Linux containers were not resistant to safety risks. Almost half of all Docker Hub hosted container images contained one or more critical vulnerabilities and were potentially open to exploitation. There were no disclosed vulnerabilities in just one-fifth of all the images tested by the startup.

Defending against Docker-related threats and attacks is not a herculean task. The discovery of yet another threat that compromises Docker containers should remind development teams to avoid exposing Docker Daemon ports to the public internet. To avoid possible security risks and attacks, development teams should also consider using only official Docker images.

Regrettably, it's more a matter of how and when, rather than whether containerized applications will be compromised. The harm inflicted would hopefully remain relatively minor, but most cybersecurity experts will certainly not bet on it.