October 22, 2024 at 05:46AM
Trend Micro researchers report a cyberattack targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker exploited the gRPC protocol over h2c to bypass security measures, checked Docker API availability, and deployed the miner, emphasizing the need for improved security configurations in Docker environments.
### Meeting Takeaways
#### Summary of Attack
– **Incident**: Malicious actors targeted Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency.
– **Technique Used**: The attacker utilized the gRPC protocol over h2c to bypass security measures.
#### Attack Sequence
1. **Discovery**:
– Attacker checked Docker API availability and version.
– Made requests for gRPC/h2c upgrades and gRPC methods to control Docker functions.
2. **Deployment**:
– Downloaded SRBMiner cryptominer from GitHub.
– Configured and started mining using a Ripple wallet address.
#### Vulnerabilities Identified
– **Remote API Risks**: Misconfigured Docker API servers exposed to the internet can be exploited by threat actors.
#### Best Practices Recommended
1. Properly configure containers and APIs to reduce vulnerabilities.
2. Avoid running containers with root privileges; use application users instead.
3. Restrict container access to trusted sources, such as internal networks.
4. Conduct regular security audits for suspicious containers and images.
#### Trend Micro Security Solutions
– **Trend Vision One**:
– Container Security for automated image and registry scanning.
– Workload Security for protection against various threats.
– **Threat Intelligence**:
– Provides access to intelligence reports and insights to better prepare against cyber threats.
#### Hunting Queries for Investigation
– **Specific Hunting Queries Available** for Trend Micro Vision One customers to trace malicious indicators relating to SRBMiner activity.
#### Indicators of Compromise (IOCs)
– **Hashes**:
– SHA256: `0d4eb69b551cb538a9a4c46f7b57906a47bcabb8ef8a5d245584fbba09fc5084`
– **URLs**:
– Malicious GitHub link and IP addresses related to the attack.
#### MITRE ATT&CK Techniques Identified
– **Technique IDs**:
– Initial Access: T1190 (Exploit Public-Facing Application).
– Execution: T1610 (Deploy Container).
– Command and Control: T1105 (Ingress Tool Transfer).
– Impact: T1496 (Resource Hijacking).
### Conclusion
To safeguard environments from such attacks, organizations must implement stringent security measures, adhere to best practices, and utilize security solutions effectively. Regular audits and threat intelligence can enhance prevention capabilities against evolving cyber threats.