Fortinet and Kromtech, two security companies, unearthed seventeen Docker containers that housed applications which had been downloaded 5 million times that were designed to mine cryptocurrencies. The containers hosting the malware had been online for at least 12 months. After complaints on GitHub and Twitter, sysdig.com researched the issue.
Orchestration platforms such as Kubernetes are often accidentally misconfigured. This gives hackers the opportunity to deploy an automated tool that forces Monero to be mined.
Hackers were able to obtain $90,000 (544.74 Monero) by simply pushing malicious application images to a Docker Hub registry and then pulling that down from the victim’s system.
The containers most at risk are Kuberbetes clusters that were deployed for tests or education use without the correct security measures put in place. This presents a severe risk for the owners of the container.
Why did criminals turn to crypto mining? It’s simply a matter of profit. There is now more opportunity for higher profit from “cryptojacking” than the alternatives. Initially, selling credit card data on the dark web generated the most money for them. Then, prices for stolen records started to decline, so the criminals moved to ransomware. Today, there is considerably more revenue to be derived from hijacking individual machines than ransomware. The next step is is that the authors of malware have found a new method to bypass the need to control individual computers and move their activities to the cloud. Hackers are now port scanning the web for incorrectly configured containers to use the computational power in order to mine cryptocurrency.
In January, Sysdig demonstrated that the criminals stopped attacking EC2 and chose to target container and Kubernetes specific vulnerabilities and exploits. The security company set up a honeypot server with a misconfigured Kubernetes deployment. In a short amount of time, they were infected with malicious Docker containers that would mine Monero.
In February this year, security researchers RedLock found hundreds of Kubernetes admin consoles fully accessible as they were set up with no password protection. It’s not solely education or test servers at risk. Telsa was victim of a crypto mining sting. Within one of the Kubernetes installs with exposed access credentials, the criminals had access to the entire AWS environment with Amazon S3 buckets with sensitive data including telemetry. Not content with exposing sensitive data, the hackers were also running crypto miners on the platform.
Hyve certified experts architect, deploy and manage Docker Enterprise Edition. Docker EE delivers an integrated security framework which allows the delivery of safer applications and improves policy automation. Additionally, because our customers go through a vetting and contract process before being able to simply spin up a VM inside our network, the Hyve cloud environment is designed to be safer and more secure than other public cloud offerings on the market. To discuss your container hosting strategy, please contact us today.