Increasing Docker Exploitation for Cryptomining

A campaign targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis has been unveiled by researchers from Cado Security. This operation deploys a suite of Golang payloads and bash scripts designed for the automated discovery and exploitation of vulnerable hosts. In their analysis, Cado Security researchers observe Docker container escapes to Linux hosts, with shell scripts and attack techniques that draw parallels to intrusions orchestrated by cloud-targeting threat actors like TeamTNT and WatchDog. This similarity extends to other campaigns, with references made to the Kiss a Dog campaign reported by CrowdStrike in October 2022 and similarities noted with the Commando Cat campaign Cado Security reported last month.

In the breakdown of the docker escape intrusion, the initial access vector was identified through a Docker Engine API honeypot, the attackers exploit common service misconfigurations and a known vulnerability in Confluence (CVE-2022-26134) to achieve remote code execution (RCE) and further their intrusion on the compromised hosts. The attackers execute a series of shell scripts that deploy a cryptocurrency miner, establish a reverse shell for persistent access, and employ various Linux attack techniques. Key steps in this attack include the creation of a bind mount from a spawned Alpine Linux container to access the host's root directory, demonstrating a common technique in Docker attacks aimed at facilitating RCE. Following this, the vurl executable and a cron job are utilized to establish a connection with the command and control (C2) infrastructure and execute base64-encoded shell commands.

The attackers executed several measures designed to impair system security and evade detection. They modified shell configurations using the shopt command, effectively preventing their activities from being logged into the bash history. This was complemented by the deletion of the bash history and disabling critical security features, including firewalld, iptables, and SELinux, thereby significantly weakening the host's defenses. Furthermore, the attackers ensured uninterrupted outbound DNS requests by adding public DNS servers to /etc/resolv.conf. These steps not only obscured their presence on the compromised hosts but also facilitated the deployment of additional utilities like masscan for later stages of the attack. Cado Security researchers note the comprehensive anti-forensics techniques which demonstrate the attackers' intent to maintain stealth and persistence, a strategy not widely observed in other campaigns.

Among the various scripts used, the fkoths script was crucial in erasing traces of the attackers' initial access by deleting specific Docker images, an action Cado Security researchers describe as a "blackholing" tactic. This involved updating the /etc/hosts file to block outbound requests to the Docker registry, thereby preventing the download of additional container images and isolating the host. Together with the deployment of the s.sh script, this facilitated crucial infrastructure setup for the malware's operation and target discovery. Moreover, scripts such as h.sh, d.sh, c.sh, and w.sh specialized in exploiting specific services, scanning for open ports, and leveraging vulnerabilities for entry. By adding an SSH key, these scripts ensured an added layer of persistence.

Cado Security's research and analysis offer essential insights into attack techniques against Docker instances and the activities of threat actors following container escape, detailing the various steps taken by the threat actor to progress their intrusion, culminating in the deployment of a cryptominer.