Security researchers at Imperva reported finding hundreds of vulnerable Docker hosts that were being exploited by miners of a little-known cryptocurrency called Monero.
The researchers, Vitaly Simonovich and Ori Nakar, wrote in a blog post that currency miners were relying on a Docker runC vulnerability discovered in early February (later patched by Docker Inc.) in combination with an exposed remote Docker API.
The Docker remote API is often considered an efficient way for developers to control a remote Docker host. But the researchers noted, “with this great power comes a great risk – if the control gets into the wrong hands your entire network can be in danger.”
Imperva ran a test in early February that found more than 3,822 hosts with the remote API exposed publicly, of which about 400 were accessible. Further analysis revealed that a majority of the 400 were running a cryptocurrency miner for the Monero currency. Monero transactions are basically hidden, making it “nearly impossible to track the source, amount, or destination of a transaction,” the researchers added.
Simonovich noted that Docker issued a security update for the CVE-2019-5736 runC container vulnerability on Feb. 11. Docker also published information on how to secure the remote API daemon. Simonovich added, however, that threats still exist for companies that fail to secure internet-facing services.
“The fact that only about 400 out of 3,822 [Docker hosts] were accessible means that most of the users follow best practices,” he said. “On the other hand, those who fail to secure their internet-facing services get punished by hackers who exploit it for their needs” such as cryptomining or using the server as a proxy for further attacks.
The Docker container platform was originally designed by Docker Inc. before being moved into the open source community. Docker containers have been downloaded 85 billion times in the six-year history of the company, an indication of the potential scope of the cryptomining threat. The runC specification is an Open Container Initiative (OCI) runtime used in Docker Engine and containerd.
A Docker Inc. spokeswoman said the vulnerability was not specific to Docker. She explained to SDxCentral that exposing the API over HTTP is disabled by default. “Someone would have to specifically enable it to be vulnerable,” she said. “This is something that Docker consistently advices against in our documentation and as a part of security best practices.”
Imperva agreed that exposing the API publicly can be dangerous, but also useful and can even be required by third-party apps like Portainer, a management user interface for Docker. “You have to make sure to create security controls that allow only trusted sources to interact with Docker API,” the Imperva blog adds.
Imperva plans to release a cloud discovery tool for network and security admins to help them discover and detect publicly-accessible ports inside of Amazon Web Services (AWS) account, scanning for both instances and containers.
Gartner analyst Avivah Litan said the Imperva discovery is another example of the need for companies to be careful how they configure ways for people to get into their systems. “You have to guard the doors to the outside and have no single control,” she said in an interview. “You have to have layered security.”
Litan recommended companies create privileged access management to “make sure that legitimate users can perform operations with tools like two-factor authentication and analytics to make sure to look at somebody’s behavior once inside the network.”
“The continuous authentication concept has been around for years, but people still don’t implement it,” she said.
Imperva’s discovery “was not shocking, but just another example of a vulnerability,” Litan added. “However, if it happens to you, it’s pretty critical.”