For the first time in history, Researchers have discovered a cryptojacking worm. Each Palo Alto Networ Unit 42 Security Investigatorsk Inc. they made the find of this cryptojacking worm that spreads using Docke software containersr. This cryptojacking worm exploits the platform as a service (PaaS) solution that software developers use to test and deploy applications on Windows and Linux platforms.
Since docker allows applications to run in a virtual environment separate from other Windows applications, allowing developers to run applications on shared system resources. Nicknamed "Graboid", the worm spread to more than 2,000 Docker hosts unsafe and uses infected hosts to mine “Monero” cryptocurrency.
Monero is a hackers' favorite cryptocurrency because it is anonymous and extremely difficult to track. Rather, bitcoin can be tracked through a public ledger.
Los investigadores found multiple images of associated containerss with the attack at different stages of the infection chain. These containers were removed by Docker Hub supportAfter being alerted by researchers, one of the container images running CentOS tried to connect to predefined command and control (C2) servers to download and run four shell scripts.
Those behind Graboid identify insecure Docker engines to start the infection process. Once the entry point is identified, the worm unfolds to begin its journey.
When downloading some scripts from a command and control server, the worm is essentially self-sufficient, it starts cryptocurrency on the Docker host infected while looking for new victims. Graboid begins by randomly selecting three potential targets for infection, installing the worm at the first target, and stops the miner at the second target, starting mining at the third target.
"This procedure leads to very random mining behavior," the researchers explained today. “If my host is compromised, the malicious container doesn't start right away. Instead, I have to wait until another compromised host chooses me and starts my mining process… Essentially, the miner on each infected host is randomly controlled by all other infected hosts.
On average, each miner was active 63% of the time and each mining period lasted 250 seconds, making activity difficult to detect as most endpoint protection software does not inspect data and activities within The containers.
The Unit 42 researchers worked with the Docker team to remove malicious container images, but the risk of future infections from variants using similar techniques is real.
"If a more powerful worm is ever created to take a similar infiltration approach, it could do much more damage, so it is imperative that organizations protect their Docker hosts," the researchers cautioned.
In the blog post about Graboid, security researchers offer some advice that can help prevent infection. Within them, Palo Alto researchers advise companies never to expose their Docker daemons directly to the Internet without proper authentication.
In fact, Docker Engine is not exposed to the Internet by default, so the insecure implementations exploited by this worm have been manually configured to be publicly available.
Other of the advice given by the researchers is that companies using SSH with strong authentication if they need to remotely connect to a Docker daemon and combine it with firewall rules that limit connections to a list of trusted IP addresses.
Moreover, recommend that administrators ensure that they never deploy Docker container images from untrusted sources on Docker Hub and frequently check their Docker implementations to remove unknown containers or images.