Compromised Docker Hosts Use Shodan for Cryptocurrency Mining
Researchers have detected a campaign in which compromised docker hosts use Shodan for carrying out cryptocurrency mining.
Hackers scan for Docker hosts with exposed APIs and use them for cryptocurrency mining, which is done by deploying malicious self-propagating Docker images that are infected with Monero miners and scripts which use Shodan for finding vulnerable targets. Researchers at Trend Micro discovered this campaign after a Docker image that contained a Monero (XMR) cryptocurrency miner binary was deployed on one of their honeypots, set up as part of their efforts to monitor malicious activity aimed at containers, Sergiu Gatlan, security/tech reporter at Bleeping Computer writes, “This type of attack is definitely nothing new seeing that researchers from Imperva discovered a similar campaign abusing the CVE-2019-5736 runc vulnerability to deploy cryptominers during early-March.”
“However, the hackers behind the attacks discovered by Trend Micro now also use scripts designed to scan for more vulnerable machines via Shodan search queries scanning for hosts with the 2375 port open and deploying more infected containers to the new targets after brute-forcing their way,” the Bleeping Computer report further says.
Another independent security researcher who goes by the name Caprico, and researchers at Alibaba Cloud too, have observed this campaign.
A blog post dated May 28, 2019 by the Alibaba Cloud researchers says, “Earlier this month, we detected a mining botnet that deploys malicious Docker containers on victim hosts by exploiting Docker’s remote API unauthorized Access vulnerability. We have named the botnet “Xulu” because it serves as username in the botnet’s mining.”
The blog post further says, “Xulu is not the first botnet case that aims at Docker; yet it differs from other botnets by not scanning other hosts by itself, instead it utilizes OSINT (open-source intelligence) technique and dynamically searches Shodan for lists of possible preys…It also placed its controlling server in the Tor network, which is probably an effort to hide the evil backstage manipulator of the botnet.”
The hackers behind the campaign were using the exposed APIs to execute commands on the Docker hosts; these commands would allow them to manage (start, stop or kill) containers and create new ones also by deploying images from a Docker Hub repository that they control.
The Trend Micro team zeroed in on a Docker Hub repository named zoolu2.
Alfredo Oliveira, Senior Threat Researcher at Trend Micro, writes, “By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries.”
The Trend Micro blog post further explains, “All the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner. This piqued our interest since we’ve already had experience with containers being deployed as miners. In addition, some of the images contained a Shodan script that lists Docker hosts with exposed APIs, which we surmised was being used to identify suitable targets for further container distribution.”
Docker found and took down the repository containing the infected Docker containers and Shodan too disabled accounts used to access its API. But reports say that one malicious Docker image, which has already been downloaded more than 10,000 times, is still available. There have also been reports that point out that the hackers had used another Docker Hub account to host infected containers. When that account was deactivated, they kept moving the containers to other accounts.
A GitHub user reporting this issue writes, “This image is a worm/botnet/whatever targeting unsecured Docker API instances (port tcp/2375)…It uses Tor to update its mining config and continuously scrapes Shodan for exposed Docker instances (with a hardcoded user/pass which I changed) to infect them as well. It also sets up an SSH server, with a hashed password for the root user (basically a backdoor account).”
The Bleeping computer report explains how it all works. The malicious Docker images, which are automatically deployed using a script that looks for exposed APIs and which also remotely creates malicious containers using Docker commands, also starts an SSH daemon that enables remote communication with the hackers. A custom-built Monero coin-mining binary gets launched in the background. Simultaneously, a scanning process that makes use of a third script looks for more victims using Shodan API.
The report explains further, “The list of vulnerable hosts gets written to an iplist.txt file which is checked for duplicates, with all the new targets also being scanned for existing cryptocurrency-mining containers which will be deleted if found…The entire list of IP addresses is then sent to the campaign operators’ command-and-control servers “to deploy additional containers to other exposed hosts based on the IP list. It then loops to the beginning of the routine stated earlier with a new host.””