Docker APIs under attack once again

News
By published

Attackers are building malicious images directly on targeted hosts

(Image credit: Pixabay)

Cybercriminals have launched attacks against Docker APIs in the past but now they're building and running malicious container images on the host according to a new report from Aqua's Nautilus Team.

In a blog post detailing the discovery, lead data analyst at Aqua Security, Assaf Morag explained that this is the first time the firm has observed attackers building their own images as opposed to using ones from a public registry, saying:

“The attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. As far as we know, this is the first time that an attack in which the attacker builds an image rather than pulling it from a public registry is observed in the wild.”

The researchers set up a honeypot that was able to capture the attack in real time and they used these recordings to analyze it afterward.

Building images directly on a targeted host

What sets this recent attack against Docker APIs apart from previous ones is the fact that the “the attacker did not pull an image from a remote source” but instead chose to build the image directly on the targeted host in an effort to bypass defense mechanisms. This also allows the attacker to increase the persistency of their infrastructure by building it directly on the host.

This new tactic is quite concerning as it prevents hosts from reporting malicious images to Docker Hub or other public registries. Aqua and others companies like it scan these registries frequently in order to find and collect malicious images used by hackers.

According to Morag's blog post, the image built directly on the host was used to execute a resource hijacking attack by using a cryptominer and cryptomining is the currently the most popular attack method used for containers.

Although this new tactic does require a bit more work, it is not too technically complex and can be carried out by less skilled hackers.

Via TechTarget

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
A close up of a xenomorph with Earth reflected on its head in the Alien: Earth TV show teaser

Disney+ celebrates 5 years of streaming with 2025 lookahead – here are 3 movies and shows I can't wait to watch
See more latest
Most Popular
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)