Research from Unit 42, the Palo Alto Networks threat intelligence team, have identified a new first-of-its-kind cryptojacking worm, Graboid that spread using Docker software containers.
Docker is a platform-as-a-service solution that allows developers to deploy, test, and package applications in containers.
The worm spread to more than 2,000 unsecured Docker hosts to mine for Monero.
Monero is an open-source cryptocurrency that allows users to conceal nearly all details of transactions. By contrast, all Bitcoin transactions are public, traceable and permanently stored in the network.
While there have been incidents of cryptojacking malware spreading as a worm, this is the first time a cryptojacking worm has spread using containers in the Docker Engine (community edition).
A malicious actor initially gained foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host. Malware was downloaded from command and control (C2) servers. It was is deployed to mine for Monero, to query for new vulnerable hosts from C2 servers and to pick the worms next random target.
According to the research, each miner was active 63% of the time on average, and each mining period lasted for 250 seconds.
This type of malicious activity is difficult to detect as most traditional endpoint protection software does not inspect data and activities inside containers.
Docker worked in tandem with Unit 42 to remove the malicious container images.
While the worm does not involve sophisticated tactics, techniques or procedures, it can periodically pull new scripts from C2s. This means it can easily repurpose itself to ransomware or malware to compromise the host.
If a more potent worm was created to take a similar infiltration approach, it could cause much greater damage. As such, Unit 42 asserts that organisations must safeguard their Docker hosts.
The report’s recommendations to avoid being compromised included:
- Never expose a docker daemon to the internet without a proper authentication mechanism. The engine is not exposed to the internet.
- Use Unix socket to communicate with Docker daemon locally or use SSH to connect to a remote docker daemon.
- Use firewall rules to whitelist the incoming traffic to a small set of sources.
- Never pull Docker images from unknown registries or unknown user namespaces.
- Frequently check for any unknown containers or images in the system.
- Cloud security solutions such as Prisma Cloud or Twistlock can identify malicious containers and prevent cryptojacking activities.