Securing Container Environments: The Threats to Docker Swarm and Kubernetes
Docker Swarm and Kubernetes are both popular container orchestration tools, designed to simplify the deployment and management of containerized applications. However, their widespread use has made them attractive targets for cybercriminals. Recent findings from DataDog security labs highlight that hackers are actively exploiting vulnerabilities in Docker Swarm, Kubernetes, and SSH servers on a large scale.
The Emergence of Targeted Malware Campaigns
A newly discovered malware campaign is specifically targeting Docker and Kubernetes environments, using vulnerabilities in Docker API endpoints as the entry point. Identified under the alias “nmlmweb3,” this campaign has been associated with malicious repositories that pose a significant risk to users.
Exploiting Vulnerabilities
Attackers are deploying cryptocurrency mining software on compromised containers, using these systems to conduct secondary attacks within the network. By targeting the Kubernetes kubelet API, they can leverage additional resources and distribute further malicious payloads, creating a botnet-like environment.
The campaign also utilizes Docker Hub for distributing malware, increasing the risk for the broader community of users.
How the Attack Unfolds
The attack typically starts with the exploitation of exposed Docker APIs. Hackers issue commands to create an "Alpine container" and run an initialization script, init.sh
, which installs the XMRig miner, implements process-hiding techniques, and retrieves additional payloads.
Lateral Movement and Resource Exploitation
The attackers facilitate lateral movement using scripts like kube.lateral.sh
, spread_docker_local.sh
, and spread_ssh.sh
. They scan the network with tools like masscan and zgrab to identify vulnerable endpoints.
The malware evaluates the context in which mining programs are deployed, disabling security features and propagating to other machines. The attackers’ reach extends to cloud services, where they also target platforms like GitHub and Codespaces to search for sensitive credential files.
Evasion Tactics and Persistence
Throughout the attack, the malware employs advanced evasion techniques and persistence mechanisms. Utilizing a multi-stage approach, attackers first exploit exposed Docker API endpoints before deploying various malicious payloads, including init.sh
, kube.lateral.sh
, and setup_xmr.sh
, to facilitate further infiltration and resource hijacking.
The main objective of these operations is cryptojacking, specifically targeting the Monero cryptocurrency through the use of the XMRig miner. The attackers exhibit advanced tactics by manipulating Docker Swarm to create networks of compromised systems.
To maintain their presence, scripts such as ar.sh
and pdflushs.sh
are used to modify iptables rules, adjust system settings, and establish SSH backdoors. The malware also uses libprocesshider
to conceal its malicious activities.
Command and Control Operations
Investigations into the attack infrastructure revealed connections to solscan[. ]live, a domain utilized for command and control (C2) activities and payload delivery. While some of the tactics have been associated with the TeamTNT threat group, the exact attribution remains unclear.
Enhancing Security Measures
This situation underscores the urgent need for robust security protocols within Docker and Kubernetes deployments. Organizations must stay proactive in their security strategies, implementing comprehensive defenses to counter emerging threats. By understanding the methods used by attackers, companies can better prepare to mitigate risks and protect their environments effectively.
No comments:
Post a Comment