Cybercriminals Exploit Docker API Endpoints: Unveiling the Spinning YARN Malware Campaign

How Hackers Exploit Docker API Endpoints to Overpower Your System

In the ever-evolving landscape of cyber threats, a new cryptojacking campaign is taking center stage. This time, attackers are setting their sights on Docker API endpoints, exploiting vulnerabilities to gain initial access and escalate privileges. According to a recent report by researchers at Datadog, these cybercriminals are leveraging publicly exposed Docker APIs to wreak havoc on unsuspecting systems.

Initial Access: The Doorway into Docker Hosts

The attackers begin their hacking spree by scanning the internet for hosts with Docker’s default port 2375 left open. This port is a common gateway for managing Docker containers, making it a prime target. Once they find a suitable host, they dive deeper using the docker version command to determine the exact version of the Docker host.

If the reconnaissance is fruitful, the attacker proceeds by creating an Alpine Linux container through Docker’s binder parameters, mapping the host’s root directory to a directory within the container. This step grants them access to the Docker host’s underlying filesystem, escalating their privileges.

The Exploit: Taking Over the System

With initial access secured, the attackers’ next move is to execute a shell command within the container. This command sets the foundation for subsequent malicious activities. The attackers deploy multiple payloads, including a remote access tool known as chkstart. This tool facilitates the download and execution of more malicious scripts and utilities designed for further exploitation.

One notable tool is exeremo, used to spread the malware to other systems via SSH. This lateral movement capability makes the attack campaign particularly dangerous as it can affect multiple hosts within a network.

Spinning YARN: The Malware Behind the Madness

Researchers have linked this campaign to the Spinning YARN campaign, a known series of attacks focusing on Docker hosts. The attackers utilize a shell script named “vurl” to retrieve additional payloads from a server they control. This script itself unpacks another script, b.sh, which houses a Base64-encoded binary also named “vurl.”

Once the vurl binary is executed, it fetches yet another set of scripts—ar.sh or ai.sh. These scripts modify existing system services and configurations to ensure persistence, making it even more challenging to eradicate the malicious presence from the system.

Persistence: Hunkering Down for the Long Haul

The persistence mechanism is particularly insidious. The attackers modify existing systemd services and use the ExecStartPost option to ensure their commands run each time the service starts. The ar.sh script, for instance, is designed to set up a working directory, install tools for scanning the internet for other vulnerable hosts, disable firewalls, clear shell histories, and more.

Another key aspect of this campaign is the deployment of the XMRig miner, a tool used to mine cryptocurrency, within the compromised hosts. The attackers use a Golang binary, vurl, to establish remote access and download additional tools from a remote server.

Not Just Cryptojacking

While the primary goal seems to be deploying the XMRig miner to generate illicit cryptocurrency, the attackers also keep a backdoor open for more nefarious objectives. By maintaining remote access via SSH, they ensure they can carry out further attacks or pivot to other systems within the network.

Protecting Your Docker Environments

This new wave of attacks underscores the need for stringent security measures within Docker environments. To safeguard your systems, consider the following steps:

• Close Unused Ports: Ensure that Docker’s default port 2375 is not exposed to the public internet.
• Implement Authentication: Use strong authentication mechanisms for Docker APIs to prevent unauthorized access.
• Regular Audits: Conduct regular security audits of your Docker configurations and deployment environments.
• Monitor Network Traffic: Be vigilant about monitoring for unusual network activity that could signal an ongoing attack.

Final Thoughts

The attacks on Docker API endpoints remind us of the importance of securing our digital assets. By understanding the tactics and techniques used by these cybercriminals, we can better defend our systems against such invasive threats. Stay alert, keep your systems up-to-date, and never underestimate the ingenuity of hackers.