Docker Under Siege: Cybercriminals Compromise Honeypots to Ramp Up Attacks

Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.

Bees on a honeycomb
Source: imageBROKER via Alamy

Cybercriminals are ramping up their attacks on the Docker Engine — the software foundation of the container infrastructure used by many cloud-native companies. Researchers flagged a pair of cyber campaigns this week that showcase the increasing risk, including a compromise aimed at launching denial-of-service (DoS)) attacks on Russian targets.

On May 5, researchers at cloud-management platform Uptycs said that attackers compromised the firm's honeypot, a Docker server configured to allow connections through the remote Docker API. The attacks resulted in the cybercriminals installing cryptomining software and creating a reverse shell, which would have allowed them to explore the server in real time.

The company has detected 10 to 20 attempts to compromise the honeypot server every day, suggesting that attackers have increased their interest in Docker-based infrastructure, says Amit Malik, director of threat research at Uptycs.

"We configured one of our machines as a honeypot, and within three hours, we saw it compromised, so we had to shut it down and rebuild it," Malik says. "The infection point is very rapid."

The attacks on Uptycs' Docker-based infrastructure are not unique. The incidents are happening to other companies as well.

Unwitting Hosts to Hostile DoS Activity Against Russia
Honeypots maintained by cybersecurity services firm CrowdStrike experienced similar attacks through the Docker remote API, generally assigned to port 2375 or 2376, according to an analysis of an attack posted on May 4

CrowdStrike researchers revealed that attackers compromised its honeypots through the open Docker API and then installed two malicious container images that were used to to attack Russian and Belarusian sites.

The target lists include the websites of the Russian and Belarusian governments, military, media, and retail sectors, as well as Russian mining, manufacturing, chemical, and technology sectors, according to CrowdStrike.

Both DoS-enabling containers are hosted on Docker Hub. One of the images has been downloaded more than 100,000 times; the second has been downloaded 50,000. CrowdStrike researchers noted that the portion of these downloads that originated from compromised machines is unknown.

The use of compromised infrastructure has far-reaching consequences for organizations that may unwittingly be participating in hostile activity against Russian government, military, and civilian targets, the firm warned. Any investigation into the attack by Russian intelligence will likely point back to the victim's server, says Adam Meyers, vice president of intelligence at CrowdStrike.

"It is a little different when they are using your infrastructure to attack a third party," he says. "If [Russia or Belarus] starts looking at these attacks, they might say, 'Oh, they are DoSing us, so we will DoS them.'"

Security Needs to Focus on Docker Threats
While Docker is well known in the development and DevOps communities, security professionals may not be as aware of the potential for insecure configurations or vulnerabilities to undermine enterprise security, Meyers says. 

The attack surface is concerning: In December, security startup Prevasio found that 51% of the 4 million images they scanned on Docker Hub included packages that had a critical security vulnerability. On the misconfiguration front, while exposing the remote Docker API is not a common configuration — currently Shodan counts 803 assets exposing port 2375 — the relatively frequent scanning of the port means that any misconfiguration would be exploited quickly.

"It is a relatively new technology, and with any new technology there is a security curve that goes with that," Meyers says. "There is a general lack of awareness around the threat, and that is the thing that we are trying to raise the flag with here. You need to take Docker security seriously."

More Visibility Needed into Docker
To understand their level of risk, businesses should ensure that they can adequately monitor the attack surface area of assets such as Docker, Kubernetes servers, and DevOps-related infrastructure, says Siddharth Sharma, a researcher at Uptycs.

"Most of these attacks go unnoticed because people might not have a comprehensive security solution monitoring their Docker infrastructure," he says. "So the attacker will not be detected as often, unless something goes wrong. But often the types of [payloads] they install are not obvious."

Last year, Docker changed the licensing terms of Docker Desktop, moving to a subscription model and arguing that the shift will help the company support more security features and audits. The move came two years after the company split, dividing into Docker — focused on development with Docker Hub and Docker Desktop — and the enterprise infrastructure components of Docker Enterprise, which was sold to Mirantis.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights