October 22, 2024 at 10:30AM
Trend Micro reports attacks on Docker remote API servers, deploying SRBMiner to mine XRP cryptocurrency. Attackers use the gRPC protocol over h2c to bypass security measures. They probe for public Docker APIs, upgrade connections, and execute malicious commands. Users are advised to enhance security measures to prevent unauthorized access.
**Meeting Takeaways – Docker Security / Cloud Security (Oct 22, 2024)**
1. **Threat Overview**: Bad actors are targeting Docker remote API servers to deploy SRBMiner crypto miner on compromised instances, as reported by Trend Micro.
2. **Attack Methodology**:
– Attackers utilize the gRPC protocol over h2c (HTTP/2 without TLS) to bypass security measures.
– Discovery process involves checking for public-facing Docker API hosts and the availability of HTTP/2 upgrades.
– A connection upgrade request is made to h2c to manipulate Docker functionalities via various gRPC methods.
3. **Crypto Mining Deployment**:
– After gaining access, attackers send a specific gRPC request to create a container for mining XRP cryptocurrency using SRBMiner.
4. **Additional Malware Observations**:
– Trend Micro also reported attacks deploying perfctl malware through exposed Docker remote API servers.
– The exploitation involves creating a Docker container with a specific image and executing Base64-encoded scripts to download malicious binaries.
5. **Recommendations for Security**:
– Secure Docker remote API servers with strong access controls and authentication.
– Monitor for unusual activities and ensure adherence to container security best practices.
6. **Research Recognition**: The findings were authored by researchers Abdelrahman Esmail and Sunil Bharti, highlighting the evolving tactics of cyber threats in cloud environments.
**Action Items**:
– Evaluate and enhance current security measures for Docker API servers.
– Educate team members on the importance of monitoring for suspicious activities in Docker environments.
Stay informed on this topic by following our updates on social media platforms like Twitter and LinkedIn.