Computer security

A self-propagating malware campaign is cryptomining misconfigured docker containers

Docker containerization is under attack with a self-propagating cryptomining malware campaign that is targeting misconfigured Docker Daemon API ports. Gal Singer, a security researcher at AquaSec, has identified this campaign that has been there for months and is believed to be increasing in volume everyday. The researcher has stated that this campaign should be orchestrated by criminals who do have handful of resources and infrastructure to execute an attack at this level.

How does this self-propagating malware work

The attack begins like this, the attacker identifies a misconfigured Docker API port which is open to public internet, After accessing this open port, the attacker deploys a Ubuntu container and runs the same on the Docker connected to that open port. This container then fetches the kinsing malware using a command, which further downloads a cryptominer. 

After all these initial build up, the kinsing malware self-propagates to other docker containers. This installer update to the docker container is updated using the shell script, which disables the security measures and also deletes the log files, and overwrites other malware or cryptominers that exists within. After completing this routine, the kinsing malware uses ‘crontab’ function to execute the same script every minute.

The kinsing malware is a Golang-based Linux binary, which in turn employs multiple libraries. The malware communicates with the C&C server using these libraries, which then gets it commands from that server to act as a dropper and execute scripts.

Source: AquaSec

More about kinsing malware

Just like any other cryptominers, this campaign also includes a connection to the host and the mining process. The main difference in the campaign is the self-propagation technique that is employed by the attackers using the shell script.

The script identifies new targets using the data from ‘/.ssh/config,.bash_history,/.ssh/known_hosts’. With this information, the malware then propagates to the new host, through SSH, and then downloads the script and malware to propagate to the next host or containers. Based on the research by Singer, the C&C servers of this malware appears to be located in the eastern part of Europe, and the attackers have unique servers for each function of malware.

How to avoid such misconfigurations proactively

Docker is always known to have flaws, a source code was exposed due to the misconfigured Docker container registries, that belonged to retailers, news media and other organizations. Furthermore, in October around 2000 hosts of the unsecured Docker Engine were affected by cryptojacking worm.

The development, testing and security team have to work in coordination to avoid attacks like these, the hackers are becoming sophisticated day by day, and its important for the DevSecOps teams to build an effective Docker container security by locking them down appropriately based on the privileges. The cloud based resources had to be grouped together, and arranged in such a way that the most critical resources are protected the most, and appropriate privileges are defined. Vulnerability scanners can be employed to identify the loopholes and fix them before it is too late.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on FacebookLinkedinInstagramTwitter and Reddit.  

Share the article with your friends
William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.

Recent Posts

Best Microsoft Intune Alternatives: Top 5 MDMs to Consider

Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…

1 day ago

Top 7 Best Smartphones with Best Security Features in 2024

Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…

3 weeks ago

Top 11 Log Management Tools for Efficient System Management

Discover the top 11 log management tools for efficient system management and monitoring. Learn about…

2 months ago

Top 5 Threat Intelligence Tools For 2024

Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…

2 months ago

Privileged Access Management: 5 Best PAM Solutions in the Market

Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…

2 months ago

Apple Device Management: Top Solutions for iOS and macOS Management

Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…

2 months ago