Docker Misconfiguration Cryptocurrency Campaign

Trend Micro recently observed cases of abuse of the systems running misconfigured Docker Engine-Community with Docker application program interface (API) ports exposed. They noticed that the malicious activities were focused on scanning for open ports 2375/TCP and 2376/TCP, which are used by the Docker engine daemon (dockerd). The intrusion attempts to deploy a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.SH.MALXMR.ATNE) on the misconfigured systems.

Docker implements virtualization on the operating-system (OS) level — also known as containerization. The Docker APIs, in particular, allow remote users to control Docker images like a local Docker client does. Opening the API port for external access is not recommended, as it can allow hackers to abuse this misconfiguration for malicious activities.

The Docker engine itself isn’t compromised or abused, and Docker’s enterprise platform is not affected. They found these rare instances of abuse on Docker Community versions. In fact, Docker’s technology has security features that its users can enable and configure to protect containers and workloads. Docker also has tools, documentations, and guidelines that can help with securing Docker community and enterprise platforms. Of course, in either case, security best practices would dictate that these ports should never be left open. For example, enterprises running business applications are recommended to use a commercial Docker Enterprise solution that has a precise, role-based access control settings that only allow authenticated use of the API.

In the research, the exposure of the Docker API ports was a result of misconfiguration on the user’s part, as we found that the misconfigurations were manually set up at the administrator level.

Resolution

Users and administrators are advised to review the Docker security pages and make any appropriate configuration changes as soon as possible.

For further details read the full report here