Facebook   Tumblr   LinkedIn

Docker filled with Graboid Cryptomining Worm

Walden Systems Geeks Corner News Docker filled with Graboid Cryptomining Worm Rutherford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

A worm with a randomized propagation method is spreading in Docker. According to researchers, the worm has infected more than 2,000 unsecured Docker Engine hosts located mainly in China and the U.S. The Graboid malware is named after the sandworms in the 1990 Kevin Bacon movie, Tremors and mines the Monero Cryptocurrency.

According to researchers at Unit 42, the initial malicious Docker image has been downloaded more than 10,000 times. Administrators can spot infections by looking for the presence of an image called gakeaws/nginx in the image build history. The hackers gained a foothold through unsecured Docker daemons, where a Docker image containing a Docker client tool used to communicate with other Docker hosts. This allowed the hackers access without any authentication or authorization.

Once the malicious Docker container is up and running, it downloads four different scripts and a list of vulnerable and infected hosts from one of its 15 C2 servers. It randomly picks three targets, installing the worm on the first target, stopping the miner installed on a second infected host, and starting the miner on a third, also already-infected, target. This procedure leads to a very random mining behavior since the malicious container does not start immediately. Essentially, the miner on every infected host is randomly controlled by all other infected hosts.

In a simulation using a potential victim pool of 2,000, researchers found that the worm can reach 70 percent of them in about an hour. Each miner is active 63 percent of the time and each mining period lasts for 250 seconds in the simulation. Researchers showed that there are an average of 900 active miners at any time in a compromised cluster of 1,400 hosts.

Container technologies like Docker are targets for hackers since traditional security tools don't look inside to look for malicious code. Also, they can often be left unsecured and open to the internet. According to researchers, most containers ( including Kubernetes and Mesos ) suffer from poorly configured resources, lack of credentials and the use of non-secure protocols. As a result, hackers can remotely access the infrastructure to install, remove or encrypt any application that the company is running in the cloud. Securing your containers is important, but this type of attacks demonstrates that you can’t ignore the infrastructure supporting those containers either.