Docker APIs continue to be a target for hackers. ProgrammableWeb reported on Twitter's failure to secure its Docker setup that led to the download of Vine's entire source code. Earlier this year, it was reported that attackers went after Docker and Kubernetes to mine cryptocurrencies. Now, Trend Micro has reported an attacker that is actively looking for Docker Engine API vulnerabilities to mine coins.
Docker containers are widely prevalent across the modern web. When Docker-backed applications run smoothly in the background, it's easy to overlook their presence. However, attackers are now able to search en masse for unsecure Docker APIs. When found, attackers can launch Docker engines for their own malicious purposes (e.g. coin mining).
Bleeping Computer described the strategy in a recent article:
When the container is deployed and activated, it will launch an auto.sh script that will download a Monero miner and configure it to launch automatically. The script will also download port scanning software, which will scan for other vulnerable Docker Engine instances on port 2375 and 2376 and attempt to further spread to them.
Despite Docker's usefulness, it has now been the target of abuse for years. Administrators must properly lock down Docker systems prior to deployment. Trend Micro suggests five steps:
- Harden the security posture
- Ensure container images are authenticated, signed, and come from a trusted registry
- Use least privilege principle
- Configure/limit the number of resources containers can use
- Enable Docker's security features
If you have Docker containers in production and are unsure of their security, check them out ASAP. If you are getting ready to deploy new containers, use these five steps to help fend off attackers.