Hackers Exploiting Exposed Docker Remote API Servers With perfctl Malware
Cybercriminals are increasingly targeting exposed Docker Remote API servers to deploy the perfctl malware, posing significant threats to organizations relying on containerized environments.
These attacks involve a structured probing sequence, container creation, and payload execution, exploiting vulnerabilities in Docker configurations.
Trend Micro Observes that the attack begins with hackers sending ping requests to locate vulnerable Docker Remote API servers. Once identified, attackers proceed to create a Docker container using specific settings designed to facilitate further exploitation.
For instance, a container named “kube-edagent” is established from the “ubuntu:mantic-20240405” image, configured in privileged mode with “pid mode: host.”
This configuration allows the container to share the host’s Process ID (PID) namespace, granting attackers visibility and control over host processes.
Payload Execution in Docker
After successfully creating the container, attackers execute a Base64 encoded payload using the Docker Exec API.
The payload initiates by escaping the container environment through the “nsenter” command, targeting the host’s namespaces to gain elevated privileges. The decoded script performs several malicious actions:
Process Management: It checks for duplicate processes to avoid detection and creates a bash script named “kubeupd” in the “/tmp” directory, setting environment variables tailored to the attacker’s infrastructure.
Malicious Binary Deployment: The script downloads a malicious binary disguised as a PHP extension, making it harder to detect based on file extensions.
If the binary matches specific criteria, it proceeds to modify system settings, update environment variables, execute further malicious commands in the background, and read the Trend Micro report.
Persistence Mechanism: To maintain access, the malware establishes persistence by creating a systemd service or a cron job, ensuring the malicious processes survive system reboots and remain active.
Recent incidents highlight the severity of exploiting Docker Remote API servers. In one notable case, an unidentified threat actor deployed a cryptocurrency miner using the described method.
By leveraging privileged container settings and sophisticated payloads, the attacker was able to infiltrate the host system, utilize its resources for malicious activities, and evade detection through various obfuscation techniques.
The use of tools like Tor for traffic rerouting further complicates detection and attribution, as seen with the involvement of Tor relay nodes in network traffic associated with the malware.
This level of sophistication indicates a growing trend of targeted attacks against containerized environments, emphasizing the need for robust security measures.
Prevention And Recommendations
To mitigate the risks associated with exposed Docker Remote API servers, organizations should implement the following security measures:
Secure Access Controls: Enforce strong authentication mechanisms and restrict access to Docker Remote API servers to authorized personnel only. Avoid exposing these APIs to the public internet without proper safeguards.
Regular Monitoring: Continuously monitor Docker environments for unusual activities or unauthorized access attempts. Implement intrusion detection systems to identify and respond to potential threats promptly.
Container Security Best Practices: Avoid running containers in privileged mode and carefully vet container images and configurations before deployment. Employ least privilege principles to minimize the attack surface.
Stay Updated: Keep Docker and related software up to date with the latest security patches to protect against known vulnerabilities. Regularly review and update security policies to align with evolving threat landscapes.
Employee Training: Educate and train staff responsible for managing Docker environments on security best practices and emerging attack vectors to ensure preparedness against potential threats.
The exploitation of exposed Docker Remote API servers for deploying perfctl malware underscores the critical need for enhanced security in containerized infrastructures.
By understanding the attack sequences and implementing robust security measures, organizations can significantly reduce the risk of such sophisticated cyberattacks.
Proactive monitoring, strict access controls, and adherence to security best practices are essential in safeguarding Docker environments against evolving threats.