Monero Cryptominers Hijack Unpatched Docker Hosts

Imperva’s security researchers reported crypto miners were exploiting hundreds of fragile Docker hosts of a cryptocurrency called Monero. Monero transactions are obscured, so the source, amount or destination of a transaction is nearly impossible to track.

In cryptojacking campaigns, hundreds of vulnerable and exposed Docker hosts are being abused after being compromised with the help of exploits designed to take advantage of the CVE-2019 – 5736 runC vulnerability.

Following the disclosure of a vulnerability in February, a runC flaw that allows an attacker to secure host root access in a Docker container, the new wave of attacks on Docker has begun. The attackers can do whatever they please once through the door, but cryptojacking seems to be the choice activity.

Security firm Imperva used Shodan as a tool to find open Docker ports, finding 3,822 on which the remote API of the platform was exposed publicly. Approximately 400 of those ports had IP addresses that were accessible on the port 2735/2736. The majority of them were cryptominers operating, with a smaller number of legitimate MySQL and Apache production servers.

“We found that a cryptocurrency miner for a currency called Monero is running most of the exposed Docker remote API IPs,” the researchers said.

“Monero transactions are obfuscated, meaning the source, amount, or destination of a transaction is almost impossible to track.”

Since cryptojackers have already compromised hundreds of hosts, and hundreds are readily available for exploitation, this new cryptojacking powered by Docker may be a high – profit campaign if vulnerable daemons are not patched.

Although Imperva’s research team only showcased one instance of abusing vulnerable Docker daemons, there can be a lot more potential attacks that might happen on compromised servers. Some of them are,

1)     Masked IP Attacks

2)    Botnet creation

3)    Phishing campaign hosting services

4)    Steal data and credentials

5)    Pivotal internal network attacks

Originally designed by Docker Inc., the Docker Container Platform was later moved into the open source community. In the six-year history of the company, Docker containers are downloaded 85 trillion times, showing the potential extent of the cryptomining threat. The runC specification is an OCI runtime used in Docker Engine and contained.

While there are cases where the Docker API requires remote access, Imperva recommends that adequate security controls be put in place to allow access to the API only by trusted sources as described in the Securing Docker remote daemon chapter on the Docker documentation website. “It can be useful to expose Docker ports and third-party apps such as ‘ portainer, ‘ a Docker management UI, ‘ they concluded.” However, you must ensure that security controls are created that allow interaction with the Docker API only by trusted sources.

Currently, the concern is that hundreds of Docker hosts have been potentially compromised with. It goes without saying that if the runC flaw is being utilized, the admins have not yet rectified the problem. Updating Docker to v18.09.2 or later should fix this flaw, although ensuring that it is implemented safely in the first place is still important.