Ever since a flaw was discovered in Docker’s remote API, hundreds of attackers including crypto miners have pounced on it to siphon as much as they can, according to cybersecurity company Imperva.
Attackers Always On the Lookout for Mistakes
A container flaw that was discovered last month (CVE-2019-5736) in Docker’s remote API has not gone unnoticed to attackers, as they wasted no time in taking advantage of the situation, according to Imperva research.
Hundreds of Docker hosts have been discovered to be vulnerable which are now being exploited by crypto miners, as reported by Imperva. Docker is a computer program that allows developers to execute operating system virtualization. This makes it possible for developers to create, deploy and run applications much better.
Imperva disclosed that Docker also allows organizations to interact with it via a remote API. However, some organizations have configuration lapses which give attackers access to host services to steal credentials, install unauthorized software and activate phishing campaigns.
Imperva reported that they discovered 3,822 Docker hosts with the remote API (port 2735) that were publicly exposed. Out of these, about 400 were accessible, and a majority of these were running a cryptocurrency miner for a digital asset that is not very popular by name Monero.
“We found 3,822 Docker hosts with the remote API exposed publicly. We wanted to see how many of these IPs are really exposed. In our research, we tried to connect to the IPs on port 2735 and list the Docker images. Out of 3,822 IPs, we found approximately 400 IPs are accessible,” wrote the researchers.
Monero (XMR) is an open-source digital asset that was established in April 2014. Its focus is on decentralization, privacy and fungibility. It makes use of an obfuscated public ledger which means that anyone can send transactions or broadcast, but external observers will not be able to know the amount, destination or source of the funds.
What More Could Go Wrong?
Crypto mining on compromised Docker hosts is just one of many attacks that is possible. Many more things could go wrong like stealing data and credential or launching botnets.
Imperva has emphasized the need for the creation of security controls by anyone exposing Docker ports so that only trusted sources will be able to interact with the Docker API.
Imperva is making plans to launch a cloud discovery tool for security and network admins to enable them to discover and detect publicly-accessible ports inside of Amazon Web Services (AWS) account, scanning both for containers and instances.