Bad actors have been observed targeting Docker remote API servers according to Trend Micro’s new findings, to deploy the SRBMiner cryptominer on hacked instances.
“In this attack, the actor used a threat gRPC the protocol is over h2c evade security solutions and run their cryptomining operations on a Docker host,” researchers Abdelrahman Esmail and Sunil Bharti said in a technical report published today.
“The attacker first checked the availability and version of the Docker API, then proceeds with gRPC/h2c update requests and gRPC methods to manipulate Docker functions.”
It all starts with the attacker running a discovery process to check public Docker API hosts for HTTP/2 protocol updates, then sending a connection update request to the h2c protocol (eg HTTP/2 without TLS). encryption).
The adversary also proceeds to inspect gRPC methods, which are designed to perform various tasks related to managing and operating a Docker environment, including health checks, file synchronization, authentication, secret management, and SSH redirection.
After the server processes the connection update request, the gRPC request “/moby.buildkit.v1.Control/Solve” is sent to create a container and then use it to mine XRP cryptocurrency with the SRBMiner payload hosted on GitHub.
“The attacker in this case used the gRPC protocol over h2c, effectively bypassing multiple layers of security, to deploy the SRBMiner cryptominer on a Docker host and illegally mine XRP cryptocurrency,” the researchers said.
The disclosure comes as the cyber security firm also made the announcement is observed attackers use exposed remote Docker API servers to deploy perfect malware. The campaign involves inspecting such servers, then creating a Docker container with the image “ubuntu:mantic-20240405” and executing a Base64-encoded payload.
The shell script, in addition to checking for and stopping duplicates of itself, creates a bash script that in turn contains another Base64-encoded payload responsible for loading a malicious binary masquerading as a PHP file (“avatar.php”), and delivers a payload called httpd by repeating a the report from Aqua earlier this month.
Users are encouraged to secure remote Docker API servers by implementing strict access controls and authentication mechanisms to prevent unauthorized access, monitoring for any unusual activity, and implementing container security best practices.
