Towards the end of 2017, there was a major shift in the malware scene. As cloud-based technologies became more popular, cybercrime gangs also began targeting Docker and Kubernetes systems.
Most of these attacks followed a very simple pattern where threat actors scanned for misconfigured systems that had admin interfaces exposed online in order to take over servers and deploy cryptocurrency-mining malware.
Over the past three years, these attacks have intensified, and new malware strains and threat actors targeting Docker (and Kubernetes) are now being discovered on a regular basis.
But despite the fact that malware attacks on Docker servers are now commonplace, many web developers and infrastructure engineers have not yet learned their lesson and are still misconfiguring Docker servers, leaving them exposed to attacks.
The most common of these mistakes is leaving Docker remote administration API endpoints exposed online without authentication.
Over the past years, malware like Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT, and others, have scanned for Docker servers that left the Docker management API exposed online and then abused it to deploy malicious OS images to plant backdoors or install cryptocurrency miners.
The latest of these malware strains was discovered last week by Chinese security firm Qihoo 360. Named Blackrota, this is a simple backdoor trojan that is basically a simplified version of the CarbonStrike beacon implemented in the Go programming language.
Only a Linux version was discovered until now, and it is unclear how this malware is being used. Researchers don’t know if a Windows version also exists, if Blackrota is being used for cryptocurrency mining, or if it’s used for running a DDoS botnet on top of powerful cloud servers.
What it is known is that Blackrota relies on developers who have made a mistake and accidentally misconfigured their Docker servers.
The lesson from Blackrota and past attacks, is that Docker is not a fringe technology anymore. Threat actors are now targeting it on purpose with at-scale attacks on a near daily basis.
Companies, web developers, and engineers running Docker systems part of production systems are advised to review the official Docker documentation to make sure they have secured Docker’s remote management capabilities with proper authentication mechanisms, such as certificate-based authentication systems.
Currently, there are plenty of tutorials around to guide even the most inexperienced developers with step-by-step guides.
With Docker gaining a more prominent place in modern-day infrastructure setup, with attacks on the rise, and with the number of malware strains that target Docker systems growing by the month, it’s time that developers took Docker security seriously.