Unhealthy actors have been noticed concentrating on Docker distant API servers to deploy the SRBMiner crypto miner on compromised cases, in line with new findings from Development Micro.
“On this assault, the menace actor used the gRPC protocol over h2c to evade safety options and execute their crypto mining operations on the Docker host,” researchers Abdelrahman Esmail and Sunil Bharti mentioned in a technical report revealed immediately.
“The attacker first checked the supply and model of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC strategies to control Docker functionalities.”
All of it begins with the attacker conducting a discovery course of to verify for public-facing Docker API hosts and the supply of HTTP/2 protocol upgrades with the intention to observe up with a connection improve request to the h2c protocol (i.e., HTTP/2 sans TLS encryption).
The adversary additionally proceeds to verify for gRPC strategies which can be designed to hold out varied duties pertaining to managing and working Docker environments, together with these associated to well being checks, file synchronization, authentication, secrets and techniques administration, and SSH forwarding.
As soon as the server processes the connection improve request, a “/moby.buildkit.v1.Management/Resolve” gRPC request is shipped to create a container after which use it to mine the XRP cryptocurrency utilizing the SRBMiner payload hosted on GitHub.
“The malicious actor on this case leveraged the gRPC protocol over h2c, successfully bypassing a number of safety layers to deploy the SRBMiner crypto miner on the Docker host and mine XRP cryptocurrency illicitly,” the researchers mentioned.
The disclosure comes because the cybersecurity firm mentioned it additionally noticed attackers exploiting uncovered Docker distant API servers to deploy the perfctl malware. The marketing campaign entails probing for such servers, adopted by making a Docker container with the picture “ubuntu:mantic-20240405” and executing a Base64-encoded payload.
The shell script, in addition to checking and terminating duplicate cases of itself, creates a bash script that, in flip, incorporates one other Base64-encoded payload chargeable for downloading a malicious binary that masquerades as a PHP file (“avatar.php”) and delivers a payload named httpd, echoing a report from Aqua earlier this month.
Customers are really useful to safe Docker distant API servers by implementing sturdy entry controls and authentication mechanisms to stop unauthorized entry, monitor them for any uncommon actions, and implement container safety finest practices.
