Bad Actors Exploiting Docker Remote API Servers in Attacks

Researchers from cybersecurity vendor Trend Micro are urging developers to secure and monitor their Docker remote API servers after attacks by threat actors targeting the systems to install a Linux malware and a cryptocurrency miner on compromised systems.

In a pair of reports, the researchers outlined recent attacks that installed and deployed either the perfctl malware or SRBMiner crypto miner, an indication that bad actors are ramping up their efforts to exploit the vulnerability of these servers.

“Exploiting exposed Docker remote API servers has now reached a critical level where the attention of an organization and its security professionals is seriously required,” threat researchers Sunil Bharti and Ranga Duraisamy wrote in one report. “The first step to avoiding such incidents is understanding the attack sequence a threat actor can use. It is essential that every organization’s Docker Remote API server is secured, monitored regularly for unauthorized access and suspicious activities to reduce the risk of attacks, and has security patches up to date.”

In the report, Bharti and Duraisamy said the attacks installing perfctl start with the bad actors probing for vulnerable Docker remote API servers. Perfctl is a persistent multipurpose backdoor known to deploy cryptojacking malware – when a victim’s compute resources to mine for cryptocurrencies – and proxyjacking, in which hackers not only steal compute resources but also unused bandwidth for their nefarious activities.

Once a vulnerable system is identified, the hackers create a Docker container in a way that includes a name that is similar to a legitimate container and enables it to run in a privileged mode. They also configure their container to “share the same PID namespace as the processes on the host. As a result, the container’s processes will be able to see and interact with all the processes running on the host system in the same way as all running processes, as if they were running directly on the host.”

Two-Part Payload

The container executes a two-part malicious payload via a Docker Exec API, with the first trying to escape the container and the second containing a Base64 encoded shell script, which checks for and prevents duplicate processes and then creates a Bash script that contains a series of commands.

The malware also uses techniques to evade detection, including checking for similar processes and creating directories and a custom function to download files.

This isn’t the only recent report of perfctl being used in attacks. Aqua Security researchers early this month wrote they had discovered the malware exploiting more than 20,000 types of misconfigurations and undetected vulnerabilities to target Linux systems over the past three to four years.

They warned that users with Linux servers connected to the internet were at risk, adding that “given the scale, we strongly believe the attackers targeted millions worldwide with a potential number of victims of thousands, it appears that with this malware any Linux server could be at risk.”

Mining Crypto

In the second Trend Micro report, Bharti and Abdelrahman Esmail wrote that threat actors were targeting Docker remote API servers to deploy SRBMiner to mine XRP crypto, using the gRPC protocol (a framework for transmitting data and implementing APIs using HTTP 2.0) over h2c (HTTP/2 over TCP) to evade security protections and run their cryptomining operations on the Docker host.

They noted that while Docker’s remote API is convenient for developers who want to manage their containers, images and volumes remotely, “this feature also introduces security risks if remote API servers are left misconfigured and exposed to the internet, which could lead to security breaches and exploitation by malicious actors.”

Think Before Enabling by Default

Katie Paxton-Fear, API researcher with Traceable AI, echoed the thought, adding that organizations should think before enabling the remote API by default.

“If you are not 100% sure you need this feature, the safest thing to do is disable it,” Paxton-Fear said. “In this case [involving perfctl], the researchers were able to pivot from a single docker container to the host via a container escape, but if the management API is simply disabled when not in use, the vulnerability is completely avoidable.”

She added that all management APIs have high levels of access and can create and modify resources at will.

“You must ensure you use strong authentication and authorization to ensure that not only those with valid credentials access a management console, but also that they have the correct permissions,” Paxton-Fear said. “This allows you to easily revoke access. But if a user’s credentials are leaked, it is also vital to have logging and monitoring in place for Docker exec so you are aware when new containers are created and used.”

A To-Do List

The Trend Micro researchers also outlined several other steps that need to be taken, including implementing strong access controls and authentication mechanisms, regularly monitoring the remote API servers for unusual activities, and implementing strong security practices like avoiding the use of “privileged” mode and reviewing container images and configurations before deploying them.

Other recommendations include not running containers with root privileges, performing regular security audits and keeping up with security updates and patches for Docker and related software to protect against known vulnerabilities.