December 3, 2024 at 04:49AM
Trend Micro Research reports that Gafgyt malware is now targeting misconfigured Docker Remote API servers, a shift from its traditional focus on IoT devices. This allows attackers to deploy DDoS attacks. Recommendations include strengthening access controls, monitoring activities, and ensuring adherence to container security best practices.
### Meeting Takeaways on Gafgyt Malware Targeting Docker Remote API Servers
**Report Highlights:**
– Trend Micro Research has identified an emerging threat involving the Gafgyt malware targeting misconfigured Docker Remote API servers, a notable deviation from its traditional targeting of IoT devices.
– Successful deployment of Gafgyt malware allows threat actors to execute Distributed Denial of Service (DDoS) attacks on compromised servers.
**Key Findings:**
– Attackers exploit publicly exposed Docker Remote API servers by deploying Gafgyt malware within a Docker container based on a legitimate “alpine” image.
– The attack process involves:
– Creating a Docker container and deploying the Gafgyt botnet binary.
– Utilizing commands like “chroot” and “Binds” to gain elevated privileges and modify the host’s filesystem.
– Executing subsequent variants of Gafgyt binaries if the initial deployment fails.
**Attack Process:**
1. Initial container creation request with a Rust-based Gafgyt bot binary named “rbot.”
2. Second attempt using a different Gafgyt binary, “atlas.i586,” executed with an argument “0day.”
3. Final fallback to a shell script “cve.sh” that downloads and executes additional bot binaries for various system architectures.
**Security Recommendations:**
– Implement strong access controls and authentication for Docker Remote API servers to prevent unauthorized access.
– Regularly monitor servers for unusual activities and have procedures in place for prompt responses.
– Follow container security best practices, avoiding privileged mode and thoroughly reviewing images before deployment.
– Educate personnel on security best practices concerning Docker Remote API servers.
**Trend Micro Vision One Threat Intelligence:**
– Customers can access detailed intelligence reports and threat insights within the Trend Micro Vision One platform, aiding in proactive threat mitigation strategies.
– Tools available for threat hunting, including detection queries and a range of indicators of compromise (IOCs).
**MITRE ATT&CK Techniques Identified:**
– Initial Access: External Remote Services (T113)
– Execution: Deploy Container (T1610), Command and Scripting Interpreter: Unix Shell (T1059.04)
– Privilege Escalation: Escape to Host (T1611)
– Command and Control: Application Layer Protocol (T1071), Ingress Tool Transfer (T1105)
– Discovery: System Network Configuration Discovery (T1016)
– Impact: Network Denial of Service (T1498)
These takeaways summarize the reported findings regarding the Gafgyt malware’s new behavior pattern, the attack methodology employed by threat actors, and actionable steps to improve security posture.