Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Assaults

Oct 22, 2024Ravie LakshmananDocker Safety / Cloud Security

Dangerous actors have been noticed focusing on Docker distant API servers to deploy the SRBMiner crypto miner on compromised cases, in keeping with new findings from Development Micro.

“On this assault, the menace actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host,” researchers Abdelrahman Esmail and Sunil Bharti mentioned in a technical report revealed immediately.

“The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities.”

Cybersecurity

All of it begins with the attacker conducting a discovery course of to examine for public-facing Docker API hosts and the supply of HTTP/2 protocol upgrades with the intention to observe up with a connection improve request to the h2c protocol (i.e., HTTP/2 sans TLS encryption).

The adversary additionally proceeds to examine for gRPC strategies which can be designed to hold out varied duties pertaining to managing and working Docker environments, together with these associated to well being checks, file synchronization, authentication, secrets and techniques administration, and SSH forwarding.

As soon as the server processes the connection improve request, a “/moby.buildkit.v1.Control/Solve” gRPC request is distributed to create a container after which use it to mine the XRP cryptocurrency utilizing the SRBMiner payload hosted on GitHub.

Crypto Mining Attacks

“The malicious actor in this case leveraged the gRPC protocol over h2c, effectively bypassing several security layers to deploy the SRBMiner crypto miner on the Docker host and mine XRP cryptocurrency illicitly,” the researchers mentioned.

The disclosure comes because the cybersecurity firm mentioned it additionally noticed attackers exploiting uncovered Docker distant API servers to deploy the perfctl malware. The marketing campaign entails probing for such servers, adopted by making a Docker container with the picture “ubuntu:mantic-20240405” and executing a Base64-encoded payload.

Cybersecurity

The shell script, moreover checking and terminating duplicate cases of itself, creates a bash script that, in flip, accommodates one other Base64-encoded payload answerable for downloading a malicious binary that masquerades as a PHP file (“avatar.php”) and delivers a payload named httpd, echoing a report from Aqua earlier this month.

Customers are beneficial to safe Docker distant API servers by implementing sturdy entry controls and authentication mechanisms to stop unauthorized entry, monitor them for any uncommon actions, and implement container safety finest practices.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.

Recent articles

SteelFox and Rhadamanthys Malware Use Copyright Scams, Driver Exploits to Goal Victims

An ongoing phishing marketing campaign is using copyright infringement-related...

5 Most Widespread Malware Strategies in 2024

Ways, methods, and procedures (TTPs) kind the muse of...

Showcasing the SuperTest compiler’s check & validation suite | IoT Now Information & Studies

House › IoT Webinars › Showcasing the SuperTest compiler’s...

Cisco Releases Patch for Essential URWB Vulnerability in Industrial Wi-fi Programs

Nov 07, 2024Ravie LakshmananVulnerability / Wi-fi Expertise Cisco has launched...

Canada Orders TikTok to Shut Down Canadian Operations Over Safety Considerations

Nov 07, 2024Ravie LakshmananNationwide Safety / Social Media The Canadian...