A worm with a randomized propagation method is spreading in Docker. According to researchers, the worm has infected more than 2,000 unsecured Docker Engine hosts located mainly in China and the U.S. The Graboid malware is named after the sandworms in the 1990 Kevin Bacon movie, Tremors and mines the Monero Cryptocurrency.
According to researchers at Unit 42, the initial malicious Docker image has been downloaded more than 10,000 times. Administrators can spot infections by looking for the presence of an image called gakeaws/nginx in the image build history. The hackers gained a foothold through unsecured Docker daemons, where a Docker image containing a Docker client tool used to communicate with other Docker hosts. This allowed the hackers access without any authentication or authorization.
Once the malicious Docker container is up and running, it downloads four different scripts and a list of vulnerable and infected hosts from one of its 15 C2 servers. It randomly picks three targets, installing the worm on the first target, stopping the miner installed on a second infected host, and starting the miner on a third, also already-infected, target. This procedure leads to a very random mining behavior since the malicious container does not start immediately. Essentially, the miner on every infected host is randomly controlled by all other infected hosts.
In a simulation using a potential victim pool of 2,000, researchers found that the worm can reach 70 percent of them in about an hour. Each miner is active 63 percent of the time and each mining period lasts for 250 seconds in the simulation. Researchers showed that there are an average of 900 active miners at any time in a compromised cluster of 1,400 hosts.
Container technologies like Docker are targets for hackers since traditional security tools don't look inside to look for malicious code. Also, they can often be left unsecured and open to the internet. According to researchers, most containers ( including Kubernetes and Mesos ) suffer from poorly configured resources, lack of credentials and the use of non-secure protocols. As a result, hackers can remotely access the infrastructure to install, remove or encrypt any application that the company is running in the cloud. Securing your containers is important, but this type of attacks demonstrates that you can’t ignore the infrastructure supporting those containers either.