Cryptocurrency mining has become a new threat trend, but until recently it has been associated with smartphone app download and browser mining threats. Even tiny cryptocurrency mining attempts, when accumulated across thousands of instances, mean profit. And, apparently, Docker can make profiteers fast, nearly untraceable money.
Security researchers at Aqua Security deployed unprotected Docker instances onto the Internet to see if they could be characterized, and, if so, how they might be manipulated. The results surprised the researchers, as they watched what should normally be protected hosts become probed.
Systems and network engineers know that every Internet address is probed many times per day, as both hackers and researchers attempt to characterize each and every host. Usually the hosts are hardware platforms using Linux, FreeBSD, Windows or other operating systems running web server applications. A system might also be one of the internet’s billion or so users.
Docker is a software containerization platform hosting server-side applications on Linux, FreeBSD and Windows (and more) operating systems, at a highly diminished user privilege level, which protects the security integrity of the host operating system. Docker isn’t usually visibly exposed to the world. The services that Docker enables--such as web services containing links to databases or other background processes--are exposed, but not the Docker app used to manage those services.
Exposed and raw, the Docker instances the researchers used as honeypots were probed and quickly characterized as Docker by a bot. Then, to the researchers' surprise, a number of seemingly automated probe attempts finally placed a container app that harvested the popular cryptocurrency Monero into the Docker instance, and automated cryptocurrency mining nearly commenced.
The Docker Import function was used by the bot to inject an xmr (Monero miner) container app into the exposed Docker instance. Although the attacker was persistent, and tried a number of differing injection methods, Aqua had turned off the ability to Docker Run any container in the honeypot, rendering the attacker efforts fruitless.
The infected instance, when examined by the researchers, wouldn’t have tried to steal a lot of computational resources from the Docker host, preventing spikes that might trigger alerts in various security frameworks or in management consoles. Indeed, it might look like one of several brown dogs in a playground full of other brown dogs, unless one also missed the external TCP connections used to communicate Monero coinage back to a “mothership” server.
Purposely exposing the Docker instance in this way isn’t recommended, of course, but with millions of Docker containers deployed in the wild, there are a few that are bound to be forgotten.
To make money, "a cryptominer container doesn't need anything but CPU and a communications vector." said Michael Cherney, head of research for Aqua’s Israel-based security team. “It’s interesting. The infection container we saw stays under the radar. It's very difficult to find as an anomaly. It’s far more difficult to notice-- it doesn't use anything but CPU, no disk I/O or other communications except to cash in.”
It took two days for hackers to find and attempt to seed the unprotected Docker container, Cherney added. The well-known ease of Docker deployment could mean a rise of the “new hammer sees everything as a nail syndrome,” and perhaps an additional number of forgotten Docker farms, rife for quiet, unassuming instances of currency mining. No credit cards will be stolen, no user data exposed, just micro fractions of CPU and power resources silently munched--until an exposed container fleet is simply wiped, or its hardware resources foundation repurposed.