'Commando Cat' Digs Its Claws Into Exposed Docker Containers

Attackers are taking advantage of misconfigured containers to deploy cryptocurrency mining software.

3 Min Read
A cat sitting on the floor beside two guns
Source: Виктория Котлярчук via Alamy Stock Photo

For months now, cybercriminals have been taking advantage of misconfigured Docker containers to perform cryptojacking.

"Commando Cat" — not the only campaign targeting Docker lately — traces back to the beginning of the year. According to the latest update from Trend Micro, the unknown attackers are still exploiting Docker misconfigurations to gain unauthorized access to containerized environments, using Docker images to deploy cryptocurrency miners and make a quick buck.

Manipulating Docker Containers

For a long time now, containerization has been useful for organizations. More recently, it also has been useful for cyberattackers.

"What we're seeing is cybercriminals utilizing these same Docker capabilities to get their own containers running on your infrastructure," explains Al Carchrie, R&D lead solutions engineer at Cado Security, the first to uncover Commando Cat (as well as the other latest Docker exploitation) back in January. "There are two ways you can do that. You can register a container within a library, and you can then call that container from the library that contains your malicious code, and get that malicious code to run. We're starting to see people move away from that, because the libraries are doing a really good job of looking for malicious containers."

Commando Cat takes the other approach: using benign containers as blank slates upon which they can pull in and run their malicious code.

To do this, as in so many modern cyberattacks, the threat actor first identifies exposed endpoints to hone in on. In this case, those endpoints are Docker remote API servers. "Nine times out of 10, this is going to come down to a misconfiguration. As we see with quite a lot of incidents, whether in the cloud or on premise or hybrid, it's pretty much down to oversight," Carchrie notes.

With exposed endpoints as an initial means of access, the attacker deploys a harmless Docker image using the open source tool Commando, then uses it as the basis to create a new container. Then, using the "chroot" Linux operation and volume binding — a means of linking directories in host systems with Docker containers — they peek outside of the container and ultimately escape to the host operating system.

By the end, they can establish a command-and-control (C2) channel and upload their cryptojacking malware.

What Organizations Can Do

Commando Cat's attacks have been streamlined somewhat from earlier this year, when its payloads included scripts designed to backdoor the target system, establish persistence, exfiltrate cloud credentials, and more. What's clear is that, under different circumstances, this same kind of attack could lead to far more than just cryptojacking.

To mitigate that risk, Trend Micro recommends organizations use only official or certified Docker images, avoid running containers with root privileges, perform regular security audits, and adhere to general guidelines and best practices around containers and APIs.

And most of all, Carchrie emphasizes, "Make sure that your Docker container's API is not directly accessible to the Internet."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights