The crypto-currency mining craze has now extended from hijacking supercomputers and public computing resources to include application containers, according to a security vendor.
Researchers at Aqua Security said this week they followed up on what was described as widespread accounts of attempted—and sometimes successful—crypto-currency mining attacks on container infrastructure. The reports are emerging as containers enter high-volume production for delivering micro-services.
The exploits against containers follow reports of Bitcoin miners hacking public cloud resources and unauthorized use of research supercomputers to mine for crypto-currency. Those incidents go back as far as 2014 when the National Science Foundation busted a researcher for using NSF-funded supercomputers to mine Bitcoins.
In a detailed blog posted on Thursday (Feb. 15), Aqua Security said it followed up the reports of crypto-currency exploits on containers by setting up “honeypots” designed to lure miners. Specifically, the security trap focused on potential miners scanning Docker daemons that run in the background to manage application containers.
Aqua’s honeypot for luring fraudsters and analyzing breaches consisted of deploying a virtual machine, installing Docker and exposing it to the Internet. The honeypot was designed to detect and log unauthorized activities. “We wanted to focus on how an attacker might deploy a container with the intent of running it, but without actually running it,” said Aqua researcher Yehuda Chikvashvili.
It took only two days to lure intruders, of which some were probably bots. One bona fide attacker attempted to execute Docker commands used for image and container management. The security vendor said the attacker’s initial objective was to identify which version of Docker was running, knowledge that would help determine the API version to be used in an exploit.
The next step was running code containing details of the crypto-currency the miner was after. Once in the system, malicious code would be run on a host container platform. One way of injecting malicious code into a Docker host is by pushing a container image to a registry (in this example, Docker Hub). The image can then be “pulled” from a targeted host and computing resources siphoned off to begin mining.
After several failed attempts, the lured crypto-miner gave up, Aqua said.
Still, Chikvashvili concluded, “If an attacker can run a rogue container that mines for [B]itcoin, they can probably run containers that do worse things.” Aqua also noted that coin mining is a relatively simple attack that may serve as a tutorial for more sophisticated and costly attacks.
“The attacker was persistent and attempted all known methods to inject a malicious container, when a simple image pull hadn’t worked,” Chikvashvili added.
Aqua said non-production container systems in test and development tend to be the most vulnerable. For example, harried developers may employ configuration shortcuts to meet deployment deadlines. Hence, pre-production systems tend to be less secure, creating openings for hackers and would-be crypto-miners who can “carve [their] way from lower, less important systems to the company network and into true production environments.”
Meanwhile, we await Docker’s response to the container security findings.