Posted on June 27, 2020 at 3:30 PM
Cryptocurrency-mining malware has continually targeted Docker servers misconfigured and left vulnerable online. The vulnerability has allowed cybercriminals to rake in huge profits by hijacking their victims’ cloud resources.
But in a recently published report, Trend Micro security researchers found out what seems to be the first persistent and organized succession of attacks against Docker servers infecting wrongly configured clusters with DDoS malware.
Kaiji and XORDDoS botnets responsible for the attack
Based on the revelation of the Trend Micro security team, the two discovered botnets are running versions of Kaiji and XORDDoS malware strains. The two malware strains are renowned for their attacks, particularly the XORDDoS which has been used in the wild for several years. Other security researchers have reported about the activities of the botnet in other past reports before now.
But, the past activities of both botnets were limited to targeting smart devices and routers. They have not been seen engaging in more technical complex cloud systems such as Docker clusters.
According to security experts at Radware, Pascal Geenens, Kaiji, and XORDDoS are recognized as botnets that utilize SSH and telnet for its malware spread in the past. However, it seems the XORDDoS botnet is threading a new part with its interest in Docker. According to Geenens, the new attacking medium of the botnet increases its potency. Geenens was explaining about the dangers the botnet poses to docker servers if the appropriate security measures are not applied.
He further revealed that Docker containers will generally have more resources than IoT devices. However, they usually operate in a more secure climate, and it may be almost impossible for the container to carry out a DDoS attack, Geenens continued.
Geeners revealed that IP cameras and routers are IoT devices with a unique perspective because they have uncontrolled access to the internet. But they have less horsepower and less bandwidth compared to containers in a vulnerable environment.
“Containers, on the other hand, typically have access to way more resources in terms of memory, CPU, and network,” he said.
The researcher added that since the network resource may be limited to a few protocols, it leads to a smaller wave of DDoS attack vectors backed by the two botnets.
But the cryptocurrency botnets are not usually impacted by the limitations, as they only require to access HTTPS channel in the outside world.
Geenens reiterated that even with the restrictions on the possibility of hacking Docker clusters by DDoS hacking groups, the hackers are always looking to strike. They are not bothered about the difficulty of carrying out a successful Docker cluster attack.
Hackers looking for fresh fruits
Many of the IoT devices are vulnerable and have been infected already. So, as hackers are looking for “fresh fruits to pick,” their only alternative is to try their luck on Docker servers.
According to Geenens, the hackers feel they are more likely going to gain more from attacking a fresh server without any history of exploitation than sticking with the IoT devices that may have been harvested. He said that’s the reason why hackers are still adamant about attacking Docker servers despite the better security features.
DDoS hackers already familiar with Docker server
In an interesting note, Geenens suggested that the DDoS actors may have been very familiar with the Docker system. Although there hasn’t been a prior hacking incident by these hackers on Docker systems, Geenens suggested that the hackers have been using the system for infrastructure management. As a result, they have mastered quite a lot of things and protocols about the system, which is why they decided to launch an attack.
Ensuring proper authentication
Geenens also reiterated that although he doesn’t have evidence, he believes that just as legitimate applications gain from Docker’s agility and automation, illegal applications will also have similar benefits.
And the management interface (API) is the most common source of hacker hack when it’s left exposed online without any firewall protection or any authentication. Geenens is, therefore, advising users to ensure a secure authentication protocol to keep their system safe.