Malicious attackers have been observed targeting Docker remote API servers and deploying the SRBMiner crypto miner on compromised instances, according to new research from Trend Micro.
“In this attack, the attackers used the gRPC protocol over h2c to evade security solutions and perform cryptocurrency mining operations on Docker hosts,” researchers Abdelrahman Esmail and Sunil Bharti wrote today. This is stated in a published technical report.
“The attacker first checked the availability and version of the Docker API and then proceeded to request gRPC/h2c upgrades and gRPC methods to manipulate Docker functionality.”
It all started when the attacker ran a discovery process to check the availability of publicly available Docker API hosts and HTTP/2 protocol upgrades, and then made a connection upgrade request to the h2c protocol (i.e., HTTP/2 without TLS). It starts with following up. encryption).
Attackers also proceed to check gRPC methods designed to perform various tasks related to managing and operating Docker environments, including health checks, file synchronization, authentication, secret management, and SSH forwarding.
When the server processes the connection upgrade request, it sends a “/moby.buildkit.v1.Control/Solve” gRPC request to create a container and uses it to perform XRP using the SRBMiner payload hosted on GitHub. Mining cryptocurrencies.
“The malicious actor in this case leveraged the gRPC protocol via h2c, effectively bypassing several security layers, to deploy the crypto miner SRBMiner on a Docker host and illegally mine the XRP cryptocurrency. ,” the researchers said.
The disclosure comes after the cybersecurity firm said it also observed attackers exploiting exposed Docker remote API servers to deploy perfctl malware. This campaign explores such a server and then creates a Docker container using the image 'ubuntu:mantic-20240405' to run a Base64 encoded payload.
In addition to checking for duplicate instances of itself and terminating, the shell script also launches a bash script containing another Base64-encoded payload that downloads a malicious binary disguised as a PHP file ('avatar.php'). The payload created and named httpd echoes Aqua's report from earlier this month.
We recommend that users protect their Docker remote API servers by implementing strong access control and authentication mechanisms to prevent unauthorized access, monitor for anomalous activity, and implement container security best practices. Masu.
