Cryptojacking campaigns now target exposed Docker containers

• Attackers have targeted exposed Docker hosts impacted with the CVE-2019-5736 runc vulnerability to mine cryptocurrency illicitly.
• More than 3000 Docker containers were found to be exposed with hundreds of them directly accessible.

Cybercriminals are now targeting vulnerable and exposed Docker containers to deploy cryptojacking campaigns. Research by security firm Imperva showed that attackers relied on the Docker's API to sneakily mine cryptocurrency.

The exposed Docker ports were found through the Shodan search engine. Generally, these open ports are required for third-party platforms such as Portainer to manage Docker containers.

Worth noting

• According to Imperva, 3,822 Docker hosts with remote APIs were available publicly.
• Out of these IPs, around 400 IPs are accessible by anyone. These were found when connected on port 2735.
• When the Docker activity was observed, most of them were found to mine the well-known Monero cryptocurrency.
• Additionally, these ports could be used to perpetrate other malicious tasks such as hosting phishing campaigns, spoofing attacks and pivot attacks.
• Imperva also revealed how credentials and sensitive data can be stolen due to the Docker’s vulnerability.

Misconfiguring servers can prove costly

Imperva emphasized that many organizations fail to configure their Docker services regularly.

“The Docker remote API listens on ports 2735 / 2736. By default, the remote API is only accessible from the loopback interface (“localhost”, “127.0.0.1”), and should not be available from external sources. However, as with other cases — for example, publically-accessible Redis servers such as RedisWannaMine — sometimes organizations are misconfiguring their services, allowing easy access to their sensitive data.” said the company.

How to protect Docker containers?

It is suggested that Docker containers be protected against such attacks by taking the right measures. This can be done by enabling TLS verification and then directing the Docker container's 'tlscacert' flag to a trusted CA certificate. This way, the Docker will communicate securely. More details about this about this can be found in the Docker documentation.