Pierluigi Paganini June 15, 2019

Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.

Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).

Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”

The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.

In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.

“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”

The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)

In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.

The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).

In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.

In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.

“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.

“To prevent container-based incidents from happening, organizations can follow these guidelines:

• Check API configuration. 
• Implement the principle of least privilege. 
• Follow recommended best practices. 
• Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities).”

Pierluigi Paganini

(SecurityAffairs – containers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]