CrowdStrike Details Sophisticated Container Cryptojacking Campaign
At the KubeCon + CloudNativeCon North America conference today, CrowdStrike revealed details of a complex cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. The campaign employs a combination of an obscure domain to deliver its payload and uses container escape attempt techniques and anonymized “dog” mining pools.
Dubbed Kiss-a-dog, the cryptojacking campaign uses multiple command-and-control (C2) servers to launch attacks that attempt to mine cryptocurrency using Diamorphine and libprocesshider user and kernel mode rootkits. It then further obscures the backdoors it creates as it moves laterally across a network. It uses scanning tools to detect additional vulnerable containers as well as instances of the Redis database that can be compromised. The Kiss-a-dog campaign also installs a Redis server in the background and listens on port 6379 for any incoming connection. The Redis server is mostly used to backdoor the container where cron jobs are set to run additional scripts for mining and pivoting as required.
Manoj Ahuje, senior threat researcher for cloud security at CrowdStrike, says the Kiss-a-dog campaign relies on tools and techniques previously associated with cryptojacking groups such as TeamTNT.
The entry point payload used in the initial Docker compromise is written in Python code. The Kiss-a-dog attack compiles code on compromised containers for multiple tools required in the next stages of the campaign. It installs a relevant kernel header and GCC to compile container Linux architecture and flavor-specific binaries to use on the same container, he says.
The URL used in the payload is obscured with backslashes to defeat automated decoding and regex matching to retrieve the malicious domain. The Python urllib2 library sanitizes the backslashes as part of its validation to form a valid domain name before querying a Domain Name System (DNS) server. After a successful name resolution, attackers download the first payload t.sh from a C2 server, which is then saved and executed. The Kiss-a-dog campaign uses a host mount to escape from the container.
After the container escape, the malware gains access to root privileges to stop and uninstall any monitoring service it detects.
Finally, the Kiss-a-Dog campaign hides digital wallet addresses by creating an anonymous pool of servers where mining peers, including the compromised container, contribute compute efforts anonymously.
Historically, cryptojacking has been considered a nuisance crime. However, the same techniques can also be used to install more malicious types of attacks, warns Ahuje. In fact, this type of attack could take down an entire IT environment, he adds.
It’s not clear how many cyberattacks are being launched against container environments, but as cloud-native applications using containers are increasingly deployed in production environments, the number of attractive targets is also increasing. The challenge is that securing a cloud-native application environment is fundamentally different from securing virtual machines, so many organizations deploying these applications are not as cognizant of the potential threat vectors.
Unfortunately, it may require a major breach before more organizations start to really appreciate the full scope of the threat to container applications.
