Cado Security Labs Identifies Campaign to Compromise Docker Hosts

Cado Security Labs today published a report identifying an ongoing effort to abuse Docker containers using a 9hits service to create fraudulent web traffic.

9hits is a service that enables an organization to buy credits that can be used to generate web traffic. The cost of those credits can be reduced if an organization agrees to run a 9hits viewer Docker application that the services used to generate traffic for other sites. That application runs in a headless instance of the Chrome browser.

In addition, Cado Security Labs reported that the threat actors are also using the same attack vector to run an instance of the XMRig miner in a Docker container to generate cryptocurrency.

The containers are deployed on a vulnerable Docker host via a remote server. Cado Security has been unable to obtain a copy of the spreader that is used to deploy two containers. Cado Security Labs researchers suspect the attack is leveraging a honeypot to identify vulnerable hosts. They then clone a user agent and make it look like a Docker client. The order of requests made to application programming interfaces (APIs) in the capture is identical to an actual instance of the Docker command line interface (CLI). According to the researchers, it is probable the attacker is using a script that sets the DOCKER_HOST variable and runs the regular CLI to compromise the server. The unidentified spreader invokes the Docker container with a custom command to kick-start the infection.

Cado Security Labs researchers also found attackers will use a generic Alpine operating system image to break out of the container and run their malware on the host. In this case, the attacker makes no attempt to exit the container and instead just runs the container with a predetermined argument.

Matt Muir, a threat intelligence researcher for Cado Security Labs, said the primary reason threat actors are targeting compute resources is to help improve search engine optimization (SEO) rankings using traffic that is generated without permission using infrastructure resources they do not have to pay to access. Those types of attacks typically lead to increased networking and potentially computing costs for organizations that are unaware those resources are being stolen.

Increasing SEO rankings ultimately reduces the legitimate amount of web traffic that other organizations might otherwise receive from search engines. As a result, the number of organizations being impacted by this compromise of IT infrastructure goes well beyond the organizations that are billed for the infrastructure employed.

The only way to effectively thwart this type of sophisticated cyberattack is to constantly monitor Docker hosts to identify unusual patterns of consumption of infrastructure resources, said Muir. Of course, that requires being able to establish a baseline for what consumption of those resources would normally be, he added.

It’s not clear how pervasive this latest compromise of Docker computing environments may be but it’s apparent cybercriminals have mastered the use of this type of software artifact for their own illicit purposes. The only thing that remains to be seen is how committed IT and cybersecurity teams are to putting a stop to it.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1662 posts and counting. See all posts by Mike Vizard