Researchers with Unit 42, a Palo Alto Networks threat intelligence team, discovered the first cryptojacking malware ever found on popular popular platform-as-a-service Docker.
In a blog post, Unit 42 member Jay Chen said his team referred to the cryptojacking malware as a « worm » named « Graboid, » which is a homage to the 1990’s Kevin Bacon classic « Tremors. » The worm, which was mining for Monero (an open-source cryptocurrency), managed to spread to more than 2,000 unsecured Docker hosts, who use the site to test various applications within a controlled virtual environment.
Docker is particularly popular platform for Linux and Windows developers, but this is the first time Unit 42 had ever seen a cyrptojacking worm spread using the containers found in the Docker Engine’s Community Edition.
Thankfully, Docker worked with Unit 42 to remove the worm as soon as they were notified.
« Because most traditional endpoint protection software does not inspect data and activities inside containers, this type of malicious activity can be difficult to detect. The malicious actor gained an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host, » Chen wrote. « The malware, which was downloaded from command and control servers, is deployed to mine for Monero, and periodically queries for new vulnerable hosts from the C2 and picks the next target at random to spread the worm. Our analysis shows that on average, each miner is active 63% of the time and each mining period lasts for 250 seconds. »
The situation revealed that thousands of Docker engines were not secured properly and subsequently became vulnerable to exposure on the internet.
Chen added that without having to undergo any authentication or secure any authorization, a malicious actor could theoretically take full control of a Docker Engine and its host. From there, the hacker can use this entry point to spread the worm throughout the system.
Within the infected containers, the worm was able to spread itself and perform cryptojacking, randomly selecting three different targets during every iteration. Once the worm is installed into the first target, a Monero miner moves from the second target to the third.
This process confused Unit 42’s researchers because the randomization meant it wasn’t designed effectively.
« Essentially, the miner on every infected host is randomly controlled by all other infected hosts. The motivation for this randomized design is unclear. It can be a bad design, an evasion technique (not very effective), a self-sustaining system or some other purposes, » Chen wrote.
Best practices for protection
At the end of his report, Chen included a list of best practices organizations can use to protect themselves against cryptojackers. First and foremost, a Docker daemon should never be exposed to the internet without a sophisticated mechanism for authentication.
Developers should use Unix socket to communicate locally with any Docker daemon, and firewall rules should be set up to whitelist the incoming traffic to a small set of sources. According to Chen and Unit 42, Docker images should never be pulled from unknown registries or user namespaces.
« While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored, » Chen added.
« If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage, so it’s imperative for organizations to safeguard their Docker hosts. »