Docker APIs under attack once again

(Image credit: Pixabay)

Cybercriminals have launched attacks against Docker APIs in the past but now they're building and running malicious container images on the host according to a new report from Aqua's Nautilus Team.

In a blog post detailing the discovery, lead data analyst at Aqua Security, Assaf Morag explained that this is the first time the firm has observed attackers building their own images as opposed to using ones from a public registry, saying:

“The attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. As far as we know, this is the first time that an attack in which the attacker builds an image rather than pulling it from a public registry is observed in the wild.”

These are the best DevOps tools available
We've put together a list of the best Linux server distros
Also check out our roundup of the best IT infrastructure management services

The researchers set up a honeypot that was able to capture the attack in real time and they used these recordings to analyze it afterward.

Building images directly on a targeted host

What sets this recent attack against Docker APIs apart from previous ones is the fact that the “the attacker did not pull an image from a remote source” but instead chose to build the image directly on the targeted host in an effort to bypass defense mechanisms. This also allows the attacker to increase the persistency of their infrastructure by building it directly on the host.

This new tactic is quite concerning as it prevents hosts from reporting malicious images to Docker Hub or other public registries. Aqua and others companies like it scan these registries frequently in order to find and collect malicious images used by hackers.

According to Morag's blog post, the image built directly on the host was used to execute a resource hijacking attack by using a cryptominer and cryptomining is the currently the most popular attack method used for containers.

Although this new tactic does require a bit more work, it is not too technically complex and can be carried out by less skilled hackers.

We've also highlighted the best cloud storage

Via TechTarget

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Latest in Security