Security Researchers at Imperva Find Monero Crypto Miners Were Leveraging Weak Docker Hosts
As per an all new report released by Imperva — a security research firm— crypto miners have been “exploiting hundreds of fragile Docker hosts” associated with the Monero project. As a result of this, many XMR based transactions are being obscured and all of the intrinsic data related to these tx’s is becoming nearly impossible to trace.
In relation to the matter, a large number of vulnerable Docker hosts are being exploited by miscreants who are taking advantage of certain modules, namely CVE-2019 – 5736 runC (that allow for Monero transactions to be meddled with).
More On The Matter
After the expose’ of the above-mentioned runC flaw last month, a number of new attacks have commenced on Docker. As part of the flaw, hackers and other third-party entities have the ability to
“do whatever they please once they get past the core security wall”.
According to a statement issued by Imperva, the firm made use of Shodan as a tool to find open Docker ports— of which they located nearly 3,822. These ports were found to have had their APIs exposed to the public. Not only that, more than 400 of the above-mentioned ports had IP addresses that
“were accessible on the 2735/2736 port-channel”.
“We found that a cryptocurrency miner for a currency called Monero is running most of the exposed Docker remote API IPs. Monero transactions are obfuscated, meaning the source, amount, or destination of a transaction is almost impossible to track.”
It is worth adding that since crypto-jackers have already exposed a plethora of hosts to other miscreants, this vulnerability may be exploited further if the compromised daemons are not patched in time.
Other Key Details Worth Noting
Despite the fact that Imperva’s dev team only highlighted one case of vulnerable Docker daemons, there currently exists a lot of potential for attacks on a number of other compromised servers.
They can include:
- Masked IP Attacks
- Phishing campaign hosting services
- Stealing of sensitive data and credentials
More About Docker
For those of our readers unaware of what a ‘Docker Container’ is, it can be thought of as a “standard unit of software that packages up code and all of its dependencies” so as to help in the faster operation of an associated application. The platform has been in the open source community for quite some time now and its containers have been downloaded more than 85 trillion times till date.
On the subject of the Docker Management UI being exposed to external threats, Imperva’s core dev team was quoted as saying:
“It can be useful to expose Docker ports and third-party apps such as ‘ portainer, ‘. However, you must ensure that security controls are created that allow interaction with the Docker API only by trusted sources.