Dangerous actors have been noticed focusing on Docker distant API servers to deploy the SRBMiner crypto miner on compromised cases, in keeping with new findings from Development Micro.
“On this assault, the menace actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host,” researchers Abdelrahman Esmail and Sunil Bharti mentioned in a technical report revealed immediately.
“The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities.”
All of it begins with the attacker conducting a discovery course of to examine for public-facing Docker API hosts and the supply of HTTP/2 protocol upgrades with the intention to observe up with a connection improve request to the h2c protocol (i.e., HTTP/2 sans TLS encryption).
The adversary additionally proceeds to examine for gRPC strategies which can be designed to hold out varied duties pertaining to managing and working Docker environments, together with these associated to well being checks, file synchronization, authentication, secrets and techniques administration, and SSH forwarding.
As soon as the server processes the connection improve request, a “/moby.buildkit.v1.Control/Solve” gRPC request is distributed to create a container after which use it to mine the XRP cryptocurrency utilizing the SRBMiner payload hosted on GitHub.
“The malicious actor in this case leveraged the gRPC protocol over h2c, effectively bypassing several security layers to deploy the SRBMiner crypto miner on the Docker host and mine XRP cryptocurrency illicitly,” the researchers mentioned.
The disclosure comes because the cybersecurity firm mentioned it additionally noticed attackers exploiting uncovered Docker distant API servers to deploy the perfctl malware. The marketing campaign entails probing for such servers, adopted by making a Docker container with the picture “ubuntu:mantic-20240405” and executing a Base64-encoded payload.
The shell script, moreover checking and terminating duplicate cases of itself, creates a bash script that, in flip, accommodates one other Base64-encoded payload answerable for downloading a malicious binary that masquerades as a PHP file (“avatar.php”) and delivers a payload named httpd, echoing a report from Aqua earlier this month.
Customers are beneficial to safe Docker distant API servers by implementing sturdy entry controls and authentication mechanisms to stop unauthorized entry, monitor them for any uncommon actions, and implement container safety finest practices.
