Vulnerable Docker Hosts Actively Abused in Cryptojacking Campaigns

Hundreds of vulnerable and exposed Docker hosts are being abused in cryptojacking campaigns after being compromised with the help of exploits designed to take advantage of the CVE-2019-5736 runc vulnerability discovered last month.

The CVE-2019-5736 runc flaw triggers a container escape and it allows potential attackers to access the host filesystem upon execution of a malicious container, overwrite the runc binary present on the system, and run arbitrary commands on the container’s host system.

While the container breakout security flaw found in runC was patched the same day by multiple vendors (e.g., Amazon, Google, and Docker), and one of the runC maintainers published a patch designed to fix the issue, there still are thousands of exposed Docker daemons online left unpatched.

Following the disclosure of the vulnerability on February 11, there were approximately 3,951 Docker daemons exposed and, as discovered by Imperva’s Vitaly Simonovich and Ori Nakar, the number remained pretty much constant with roughly 4,042 being reachable at this moment.

Exposed Docker hosts on Shodan
Exposed Docker daemons on Shodan

To be more exact, 3,968 have the 2375 port open and 74 have the 2376 one accessible (the ports Docker’s API listens to remote connections on), and more importantly, only 103 of the exposed Docker daemons that can be found on Shodan have also been updated to the patched 18.09.2 version or newer, leaving 3939 exposed to exploitation.

The security researchers went a step further and tested to see which of the hosts exposed by the Shodan search can actually be accessed by connecting to the IPs on port 2735 and listing the Docked images.

Following their tests, they found that out of the 3,8222 IPs that were exposed on the Shodan search engine, around 400 of them were actually accessible.

On the unpatched servers that were accessible because they had the Docker API exposed to remote connections –usually only accessible via the localhost/ loopback interface– the researchers found Docker images of crypto miners, as well as legitimate services and production environments.

Docker images found on accessible servers
Docker images found on accessible servers

As detailed in Imperva’s analysis:

We found that most of the exposed Docker remote API IPs are running a cryptocurrency miner for a currency called Monero. Monero transactions are obfuscated, meaning it is nearly impossible to track the source, amount, or destination of a transaction.  
Other hosts were running what seemed to be production environments of MySQL database servers, Apache Tomcat, and others.

Given that cryptojackers have already compromised hundreds of hosts and there are hundreds of others readily available for exploitation, this new Docker-powered cryptojacking campaign could prove to be a very lucrative one if vulnerable daemons will not get patched.

Although Imperva’s research team only showcased one instance of abusing vulnerable Docker daemons, there’s a lot more potential attackers can use compromised servers for:

- Launch more attacks with masked IPs
- Create a botnet
- Host services for phishing campaigns
- Steal credentials and data
- Pivot attacks to the internal network

While there are cases when the Docker API requires remote access, Imperva recommends putting in place adequate security controls designed to allow only trusted sources to access the API as described in the Securing Docker remote daemon chapter on the Docker documentation website.