Unhealthy actors have been noticed focusing on Docker distant API servers to deploy the SRBMiner crypto miner on compromised situations, in keeping with new findings from Pattern Micro.
“On this assault, the menace actor used the gRPC protocol over h2c to evade security options and execute their crypto mining operations on the Docker host,” researchers Abdelrahman Esmail and Sunil Bharti stated in a technical report printed at the moment.
“The attacker first checked the supply and model of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC strategies to control Docker functionalities.”
All of it begins with the attacker conducting a discovery course of to test for public-facing Docker API hosts and the supply of HTTP/2 protocol upgrades as a way to observe up with a connection improve request to the h2c protocol (i.e., HTTP/2 sans TLS encryption).
The adversary additionally proceeds to test for gRPC strategies which might be designed to hold out numerous duties pertaining to managing and working Docker environments, together with these associated to well being checks, file synchronization, authentication, secrets and techniques administration, and SSH forwarding.
As soon as the server processes the connection improve request, a “/moby.buildkit.v1.Management/Clear up” gRPC request is distributed to create a container after which use it to mine the XRP cryptocurrency utilizing the SRBMiner payload hosted on GitHub.
“The malicious actor on this case leveraged the gRPC protocol over h2c, successfully bypassing a number of security layers to deploy the SRBMiner crypto miner on the Docker host and mine XRP cryptocurrency illicitly,” the researchers stated.
The disclosure comes because the cybersecurity firm stated it additionally noticed attackers exploiting uncovered Docker distant API servers to deploy the perfctl malware. The marketing campaign entails probing for such servers, adopted by making a Docker container with the picture “ubuntu:mantic-20240405” and executing a Base64-encoded payload.
The shell script, apart from checking and terminating duplicate situations of itself, creates a bash script that, in flip, incorporates one other Base64-encoded payload chargeable for downloading a malicious binary that masquerades as a PHP file (“avatar.php”) and delivers a payload named httpd, echoing a report from Aqua earlier this month.
Customers are really helpful to safe Docker distant API servers by implementing sturdy entry controls and authentication mechanisms to forestall unauthorized entry, monitor them for any uncommon actions, and implement container security greatest practices.