Attackers Target Exposed Docker Remote API Servers With perfctl Malware
Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack involves probing for the server, creating a Docker container with the "ubuntu:mantic-20240405" image, and executing a Base64 encoded payload. The payload escapes the container using the "nsenter" command, creates a bash script, and sets environment variables. It then downloads a malicious binary disguised as a PHP extension, employing evasion techniques to avoid detection. The malware uses persistence strategies such as creating a systemd service or a cron job. To mitigate these risks, securing Docker Remote API servers with strong access controls, monitoring for unauthorized activities, and adhering to container security best practices are essential. Regular updates and security audits are also recommended to enhance overall security posture.
The attack on exposed Docker Remote API servers began with the attackers probing for these vulnerable services, which allowed them to gain initial access. BlueRock's Container Capability Control effectively mitigates this step by securing external-facing remote services, preventing unauthorized access. Once access was gained, the attackers deployed a Docker container using a specific image, and executed a Base64 encoded payload. The payload attempted to escape the container using the 'nsenter' command to access the host's namespaces. BlueRock's Namespace Execution Guard is designed to prevent such container escape attempts, ensuring that even if a container is compromised, the host remains secure. These mechanisms collectively enhance the security posture against such sophisticated attacks by controlling container capabilities and preventing unauthorized namespace execution.
- T1133: External Remote Services: The attackers began their campaign by probing for exposed Docker Remote API servers. This technique is consistent with leveraging exposed remote services to gain initial access.
- T1610: Deploy Container: Once the attackers confirmed the presence of the Docker Remote API server, they created a Docker container using a specific image from Docker Hub. This technique involves deploying a container to execute further actions.
- T1059.004: Command and Scripting Interpreter: Unix Shell: After creating the Docker container, the attackers executed a Base64 encoded payload using the Docker Exec API. This technique involves using a command and scripting interpreter to execute malicious commands.
- T1611: Escape to Host: The payload attempted to escape the container by using the 'nsenter' command to enter the host's namespaces, which is indicative of a container escape technique.
- T1543.002: Create or Modify System Process: Systemd Service: The attackers created a systemd service for persistence if systemd was running in non-offline mode. This technique involves creating or modifying system processes to maintain persistence.
- T1053.003: Scheduled Task/Job: Cron: As a fallback persistence mechanism, the attackers set up a cron job, which is another method of maintaining persistence through scheduled tasks.
- T1036.005: Masquerading: Match Legitimate Name or Location: To avoid detection, the attackers named the container 'kube-edagent' to masquerade as a legitimate container, matching legitimate names or locations.
- T1082: System Information Discovery: The attackers gathered system information by checking for multiple running processes and active TCP connections, which is indicative of system information discovery.
- T1132.001: Data Encoding: Standard Encoding: The payload included a Base64 encoded shell script, which is a form of standard data encoding used to obfuscate the malicious commands.
- T1105: Ingress Tool Transfer: The attackers downloaded a malicious binary disguised as a PHP extension using a custom function, which is consistent with ingress tool transfer.
