By David Fiser, Jakub Urbanec and Jaromir Horejsi
Misconfiguration is not novel. However, cybercriminals still find that it is an effective way to get their hands on organizations’ computing resources to use for malicious purposes and it remains a top security concern. In this blog post, we will detail an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant (detected by Trend Micro as Backdoor.Linux.DOFLOO.AA) of the Linux botnet malware AESDDoS caught by our honeypots.
Docker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which runs with root permission, will execute. Allowing external access — whether intentionally or by misconfiguration — to API ports allows attackers to gain ownership of the host, giving them the ability to poison instances running within it with malware and to gain remote access to users’ servers and hardware resources. Previously, we have seen how exposed Docker hosts can be taken advantage of by cybercriminals, such as deploying cryptocurrency-mining malware.
In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon. Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.
The tool and the payload
When examining a query received by our honeypot, we noticed a link to one file from an HTTP file server (HFS) panel. Accessible HFS panels are known to have been abused by Chinese threat actors in the past to host their malicious binaries, such as the ELF Linux/BillGates.Lite malware, and botnets like Elknot/Setag, MrBlack, and Gafgyt, among others.
Figure 1. HFS panel with listing of hosted malware and tools
In the HFS panel we found, there was a file named 2375-SYNG口漏洞.zip (translated as 2375 SYN port vulnerability), and analysis revealed that it is a tool used by the threat actor to scan internet ranges for vulnerable machines. It also yields some interesting contents: A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file. The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.
Figure 2. Contents of the 2375-SYNG口漏洞.zip archive
We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.
Note: Translated in English, the content reads: 2375 Docker Batch Test Rapid Edition
2375 Docker Batch Test Rapid version By: fireworks QQ154284301
Only for vulnerability detection. Do not use for illegal purposes. If there is illegal use, the user bears the legal responsibility. Everything has nothing to do with the author
Figure 3. Docker batch test tool screen capture
Figure 4. WinEggDrop port scanner
After running the Docker.exe tool, the operator is presented with the following message:
Note: Translated in English, the content reads:
There is 1 IP address to be tested, please wait!
The test is done, preparing for the next scan!
Figure 5. Docker scanner progress message.
The Docker.exe tool attempts to list all the Docker containers in a given machine via /containers/json.
Figure 6. JSON query to list all available containers
It then executes commands within the running containers. The cmd parameter in the JSON string below is the content of the Shell.txt file inside the tool’s .zip archive.
Figure 7. Query to set up the exec instance in a running container
Docker.exe then deploys the AESDDoS botnet malware, which allows attackers to launch several types of DDoS attacks, such as SYN, LSYN, UDP, UDPS, and TCP flood. This malware variant has been previously seen dispatching DDoS attacks, remote code execution, and cryptocurrency-mining activities to systems running vulnerable Confluence Server and Data Center versions.
Figure 8. AESDDoS shows this message when connecting to its C&C server
Figure 9. List of implemented DDoS methods
DevOps security recommendations and Trend Micro solutions
Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.
To prevent container-based incidents from happening, organizations can follow these guidelines:
- Check API configuration. System administrators and developers should ensure that APIs are set to receive requests only from determined hosts or internal networks. Secure API endpoints with HTTPS and certificates.
- Implement the principle of least privilege. Make sure that container images are signed and authenticated. Access to critical components like the daemon service that helps run containers should be restricted. Network connections should also be encrypted.
- Follow recommended best practices. Docker provides a comprehensive list of best practices and has built-in security features professionals can take advantage of.
- Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities). Application control and integrity monitoring help keep an eye out for anomalous modifications on servers, files, and system areas.
Trend Micro helps DevOps teams to build securely, ship fast, and run anywhere. The Trend Micro™ Hybrid Cloud Security solution provides powerful, streamlined, and automated security within the organization’s DevOps pipeline and delivers multiple XGen™ threat defense techniques for protecting runtime physical, virtual, and cloud workloads. It also adds protection for containers via the Deep Security™ solution and Deep Security Smart Check, which scans Docker container images for malware and vulnerabilities at any interval in the development pipeline to prevent threats before they are deployed.
Indicators of Compromise
|SHA-256||Detection name||File name|