Malicious Actors Leveraging Docker API Servers for SRBMiner Cryptocurrency Mining Attacks

Oct 22, 2024Ravie LakshmananDocker Security / Cloud Security

Unscrupulous individuals have been spotted aiming at Docker remote API servers to install the SRBMiner digital currency miner on infiltrated systems, as per fresh conclusions from Trend

Oct 22, 2024Ravie LakshmananDocker Security / Cloud Security

Cybercriminals Exploiting Docker API Servers for SRBMiner Crypto Mining Attacks

Unscrupulous individuals have been spotted aiming at Docker remote API servers to install the SRBMiner digital currency miner on infiltrated systems, as per fresh conclusions from Trend Micro.

“In this assault, the malefactor employed the gRPC protocol via h2c to dodge security solutions and conduct their digital currency mining activities on the Docker host,” researchers Abdelrahman Esmail and Sunil Bharti expressed in a technical document issued today.

“The malicious actor commenced by verifying the presence and version of the Docker API, then initiated requests for gRPC/h2c enhancements and gRPC procedures to maneuver Docker functionalities.”

Everything kicks off with the attacker carrying out a discovery procedure to examine public-facing Docker API hosts and the accessibility of HTTP/2 protocol enhancements to proceed with an enhancement request to the h2c protocol (i.e., HTTP/2 without TLS encryption).

The assailant also proceeds to investigate gRPC procedures intended for executing various activities connected to managing and operating Docker surroundings, encompassing those linked to health checks, file synchronization, authentication, secrets administration, and SSH forwarding.

Upon the server processing the enhancement request, a “/moby.buildkit.v1.Control/Solve” gRPC request is dispatched to establish a container and subsequently utilize it to mine the XRP digital currency employing the SRBMiner payload stored on GitHub.

“The malevolent actor in this instance exploited the gRPC protocol over h2c, effectively circumventing numerous security layers to install the SRBMiner digital currency miner on the Docker host and mine XRP digital currency unlawfully,” the researchers stated.

The exposure emerges as the cybersecurity organization mentioned it also observed malefactors abusing exposed Docker remote API servers to install the perfctl malware. The scheme includes examining for such servers, succeeded by generating a Docker container with the depiction “ubuntu:mantic-20240405” and implementing a Base64-encoded payload.

The shell script, apart from scrutinizing and discontinuing duplicate instances of itself, devises a bash script that, in return, includes another Base64-encoded payload responsible for retrieving a malevolent binary presenting itself as a PHP file (“avatar.php”) and delivers a payload dubbed httpd, echoing a report from Aqua earlier this month.

It is recommended for users to safeguard Docker remote API servers by enforcing robust access regulations and authentication mechanisms to thwart unauthorized entry, oversee them for any abnormal activities, and enact container security top practices.

Encountered this article captivating? Trail us on Twitter and LinkedIn to delve into more exclusive content we publish.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts