November 14, 2023 at 11:39AM
Researchers from AhnLab Security Emergency Response Center have warned that attackers are targeting MySQL servers and Docker hosts to infect them with malware capable of launching distributed denial-of-service (DDoS) attacks. The malware, known as Ddostf, is a DDoS-capable botnet of Chinese origin. Attackers scan for vulnerable MySQL servers and upload a malicious DLL, allowing them to execute commands and deploy the malware. Similarly, Docker hosts are being targeted with the OracleIV DDoS-capable malware via the Docker Engine API.
After reviewing the meeting notes, I have identified the following key takeaways:
1. MySQL servers and Docker hosts are being targeted by attackers to plant malware capable of launching distributed denial-of-service (DDoS) attacks.
2. AhnLab Security Emergency Response Center warns that attacks targeting MySQL on Windows have increased in frequency.
3. Vulnerable MySQL servers are being infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been active since 2016.
4. Malicious attackers are scanning the internet for publicly accessible MySQL servers on TCP port 3306 and compromising them through weak credentials or known vulnerabilities.
5. The attackers then upload a malicious DLL as a User-Defined Function (UDF) library to execute commands on the infected system and deploy and execute the Ddostf malware.
6. Ddostf targets both Linux and Windows environments, achieves persistence, collects system information, and communicates with a command-and-control (C&C) server to wait for instructions to launch DDoS attacks.
7. A distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period.
8. Cado Security warns that Docker hosts are being targeted by the OracleIV DDoS-capable malware via the Docker Engine API.
9. Attackers are scanning for publicly exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.
10. Accidentally exposed Docker Engine API instances have been popular targets for attackers, especially for deploying cryptocurrency miners.
11. By hosting malicious containers in Dockerhub, the process of pulling and launching a malicious image is streamlined for the attackers.
12. Cado Security observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it.
13. The malicious Docker image, referred to as OracleIV, supports commands for various types of DDoS attacks.
These are the main points from the meeting notes regarding attackers targeting MySQL servers and Docker hosts.