Commando Cat Digs Its Claws Into Exposed Docker Containers

  /     /     /  
Publicated : 23/11/2024   Category : security


Commando Cat Digs Its Claws Into Exposed Docker Containers


Attackers are taking advantage of misconfigured containers to deploy cryptocurrency mining software.



For months now, cybercriminals have been taking advantage of misconfigured Docker containers to perform cryptojacking.
Commando Cat —
not the only campaign
targeting Docker lately — traces back to the beginning of the year.
According to the latest update
from Trend Micro, the unknown attackers are still exploiting Docker misconfigurations to gain unauthorized access to containerized environments, using Docker images to deploy cryptocurrency miners and make a quick buck.
For a long time now, containerization has been useful for organizations. More recently,
it also has been useful for cyberattackers
.
What were seeing is cybercriminals utilizing these same Docker capabilities to get their own containers running on your infrastructure, explains Al Carchrie, R&D lead solutions engineer at Cado Security, the first to uncover Commando Cat (as well as
the other latest Docker exploitation
) back in January. There are two ways you can do that. You can register a container within a library, and you can then call that container from the library that contains your malicious code, and get that malicious code to run. Were starting to see people move away from that, because the libraries are doing a really good job of looking for malicious containers.
Commando Cat takes the other approach: using benign containers as blank slates upon which they can pull in and run their malicious code.
To do this, as in so many modern cyberattacks, the threat actor first identifies exposed endpoints to hone in on. In this case, those endpoints are Docker remote API servers. Nine times out of 10, this is going to come down to a misconfiguration. As we see with quite a lot of incidents, whether in the cloud or on premise or hybrid, its pretty much down to oversight, Carchrie notes.
With exposed endpoints as an initial means of access, the attacker deploys a harmless Docker image using the open source tool Commando, then uses it as the basis to create a new container. Then, using the chroot Linux operation and volume binding — a means of linking directories in host systems with Docker containers — they peek outside of the container and ultimately
escape to the host operating system
.
By the end, they can establish a command-and-control (C2) channel and upload their cryptojacking malware.
Commando Cats attacks have been streamlined somewhat from earlier this year, when its payloads included scripts designed to backdoor the target system, establish persistence, exfiltrate cloud credentials, and more. Whats clear is that, under different circumstances, this same kind of attack could lead to far more than just cryptojacking.
To mitigate that risk, Trend Micro recommends organizations use only official or certified Docker images, avoid running containers with root privileges, perform regular security audits, and adhere to general guidelines and best practices around containers and APIs.
And most of all, Carchrie emphasizes, Make sure that your Docker containers API is not directly accessible to the Internet.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Commando Cat Digs Its Claws Into Exposed Docker Containers