Monero cryptominers hijack hundreds of unpatched Docker hosts

A recently-disclosed vulnerability in the Docker containerisation platform is being exploited by cybercriminals to mine the Monero (XMR) cryptocurrency on hundreds of servers.

Security company Imperva used Shodan to find open ports running Docker, finding 3,822 on which the platform’s remote API was publicly exposed.

Of these, around 400 had accessible IP addresses on port 2735/2736, the API’s listening ports.  The majority turned out to be running cryptominers, with legitimate MySQL and Apache production servers on a smaller number.

Used to configure containers, Docker’s API ports shouldn’t be accessible externally. Combined with CVE-2019-5736, a critical root access vulnerability in Docker’s default container runtime, runC, this will could quickly lead to a full compromise.

As bad as cryptocurrency mining sounds, the researchers explain that attackers could do a lot worse with pwned Docker hosts, including stealing credentials to attack the internal network, hosting phishing and malware campaigns, and creating botnets:

The possibilities for attackers after spawning a container on hacked Docker hosts are endless.

Not to mention that these hosts are still busily mining Monero for criminal gain:

Monero transactions are obfuscated, meaning it is nearly impossible to track the source, amount, or destination of a transaction.

What to do

The worry is that hundreds of Docker hosts have already been compromised with many more potentially on offer. Clearly, if the runC flaw is being exploited, that means admins haven’t patched it. Given how serious it is, that’s a surprise.

Updating Docker to v18.09.2 or later should fix that flaw although it’s still important to ensure it’s been securely implemented in the first place (Imperva saw credentials stored insecurely as environment variables, for example).

Last June, sites running the Drupal CMS were hit by the ‘Drupalgeddon 2’ Monero cryptomining attack months after the vulnerability making that possible, CVE-2018-7600, was patched.