Docker Servers Mining Monero? Yes. A Lot.


Hear that sound?

That’s the sound of hundreds of Docker servers quietly mining for dark web cryptocurrency.

Cointelegraph reports this morning that 400 of Docker’s virtualization servers are vulnerable to exploitation by Monero – the cryptocurrency known for its ability to be anonymously traded.

“A misconfiguration of the vulnerable Docker hosts permits public access to the Docker API, which should only be locally accessible,” writes Adrian Zmudzinski this morning. “This misconfiguration, combined with a newly discovered vulnerability, allows attackers to obtain administrator rights on the server and install software of their choice.”

Zmudzinski notes that the same vulnerability can also lead to malware installation as well.

Experts aren’t even ruling out a ransomware situation.

“The data on the server is also accessible to the hacker,” Zmudzinski explains, “including the database and some unencrypted credentials, including passwords, Imperva notes.”

This breaking news is especially demoralizing because container virtualization was supposed to be the savior of back end hardware setups. Dealing with Docker and Kubernetes and those other neat new container tools has brought companies untold efficiencies and new ways of facilitating developer tool shops – but what if cryptojacking is the Achilles’ heel of this whole enterprise system?

Also, the report around Docker’s flaw suggests that cryptojacking could become much more widespread than it already is – and that’s saying something.

“Cryptojaking is seemingly widely used as a way to earn money among cybercriminals,” Zmudzinski writes, providing a concrete example: “ US-based software corporation Microsoft has removed eight Windows 10 applications from its official app store after cybersecurity firm Symantec identified the presence of surreptitious Monero mining  code.”

However, the threat to Docker is not really new – months ago, platforms like ZDNet had writers describing how related attacks would work:

“The first stage of the attack is to identify front-facing systems and websites vulnerable to remote code injection attacks,” wrote Charlie Osborne last November. “A command is sent through the application layer — often by way of manipulating a text field on a domain or via an exposed API in a website URL — or by “probing an embedded shell console commonly found on code reference websites,” according to the researchers….The injected code then filters down to the back-end operating system and eventually finds its way to the container environment….The second phase of such attacks initiates when the container is spun up. In recent attacks spotted, the code is executed and commands are sent directly to the shell within a Docker container.”

Clearly, exposed Docker APIs are a problem. The API itself has been hailed as a game-changer for software interconnectivity, but with some of these kinds of glitches hiding in plain sight, it’s worth asking whether the epidemic of cryptojacking will change the way that CTOs spin up systems. Keep an eye on cryptojacking reports, because, in addition to changing business practices, they can, from time to time, move markets.