Monero cryptominers hijack hundreds of unpatched Docker hosts

Security

A recently-disclosed vulnerability in the Docker containerisation platform is being exploited by cybercriminals to mine the Monero (XMR) cryptocurrency on hundreds of servers.

Security company Imperva used Shodan to find open ports running Docker, finding 3,822 on which the platform’s remote API was publicly exposed.

Of these, around 400 had accessible IP addresses on port 2735/2736, the API’s listening ports.  The majority turned out to be running cryptominers, with legitimate MySQL and Apache production servers on a smaller number.

Used to configure containers, Docker’s API ports shouldn’t be accessible externally. Combined with CVE-2019-5736, a critical root access vulnerability in Docker’s default container runtime, runC, this will could quickly lead to a full compromise.

As bad as cryptocurrency mining sounds, the researchers explain that attackers could do a lot worse with pwned Docker hosts, including stealing credentials to attack the internal network, hosting phishing and malware campaigns, and creating botnets:

The possibilities for attackers after spawning a container on hacked Docker hosts are endless.

Not to mention that these hosts are still busily mining Monero for criminal gain:

Monero transactions are obfuscated, meaning it is nearly impossible to track the source, amount, or destination of a transaction.

What to do

The worry is that hundreds of Docker hosts have already been compromised with many more potentially on offer. Clearly, if the runC flaw is being exploited, that means admins haven’t patched it. Given how serious it is, that’s a surprise.

Updating Docker to v18.09.2 or later should fix that flaw although it’s still important to ensure it’s been securely implemented in the first place (Imperva saw credentials stored insecurely as environment variables, for example).

Last June, sites running the Drupal CMS were hit by the ‘Drupalgeddon 2’ Monero cryptomining attack months after the vulnerability making that possible, CVE-2018-7600, was patched.

Products You May Like

Articles You May Like

Microsoft warns Windows 7 users of looming end to security updates
BitLocker hacked? Disk encryption – and why you still need it [VIDEO]
Microsoft Announces Windows Defender ATP Antivirus for Mac
Hackers conquer Tesla’s in-car web browser and win a Model 3
How Online Scams Drive College Basketball Fans Mad

Leave a Reply

Your email address will not be published. Required fields are marked *