Akamai security researcher Larry Cashdollar set up the Docker image to see what kind of notice it might attract from the wider web’s cadre of cyberattackers. He implemented SSH protocol for encryption and implemented a “guessable” root password.
Since it was running a standard cloud container configuration, it wouldn’t stand out on the web as an obvious honeypot, he explained, in a blog on Wednesday. Instead, it would simply look like a vulnerable cloud instance.
Accordingly, the Docker image soon came under fire, as outlined in a Wednesday analysis. The four distinct attacks that Cashdollar saw hitting the honeypot included: Those wanting to use the container as a proxy to tap into Twitch streams or access other services; botnet infections; cryptomining; and a work-from-home scam.
As the container’s administrator, Cashdollar was able to capture all of the credentials that the attackers were using to attempt to log into the image. He found, interestingly, that attackers using the log-in combinations of root:admin, root:root or oracle:oracle would “invariably use the Docker image as a SOCKS5 proxy through SSHd,” explained the researcher.
The proxies drove various kinds of traffic, including dialing up streams on the popular game-streaming platform Twitch. “I found out from a colleague that the Twitch stream proxies were probably being used to pad a player’s stream viewer count,” Cashdollar noted in the analysis.
On the botnet installation front, the first botnet infection turned out to be a variant known as Xorbot.
“The installation’s first task was to establish persistence via cron entries, and place copies of itself in /usr/bin, as well as startup scripts to /etc/init.d,” wrote Cashdollar. “The command-and-control (C2) communications were handled over domains that resolved to 18.104.22.168 on port 3309.”
A Mirai internet-of-things (IoT) botnet also took aim at the Docker image and successfully infected it, which Cashdollar said was expected.
“Once the source code for Mirai was leaked to the internet in 2016, criminals have leveraged it to spin-off dozens of variants, and it continues to spread to this day,” he pointed out.
The third kind of attack targeting the Docker instance infected it with the XMRig cryptomining malware. Cryptojacking is a scourge that has hit production Docker implementations in the past. Cashdollar analyzed the malicious code of this specific variant and found that it took care to establish persistence.
“An installation script is run via SSH that monitors the process tree with ‘top’ – a process-monitoring tool – checking for when the malware has successfully been executed. Once the process is detected…the malware adds two new users to the system – test and test1. It changes the root password to “”(blank) and creates entries in cron to start the mining software up after a reboot.”
And finally, he also uncovered cybercriminals using the server as an email relay, in a work-from-home scam. The criminals were duping victims into thinking submitting expense reports involving high-dollar purchases and scanned receipts to a target who was presumably in charge of approving them.
“There were red flags about this email relay from the moment the connections started,” Cashdollar noted. “The actors intentionally used root/root to log into the Dovecot mail server, something they wouldn’t need to do if there was any legitimacy to the messages they were sending.”
However, after reading the messages and attachments, Cashdollar ascertained that victims were being duped into making purchases at various big-box retailers, sending the equipment to a second person (a mule working on behalf of the cybercriminals) and then submitting “expense reports” for reimbursement. However, that reimbursement would never arrive.
“Work-from-home scams are common, and based on the logs, it’s clear the expense reports were submitted by victims using their own credit cards, or corporate cards (i.e. stolen cards) provided by the criminal, in order to obtain access to high-value retail products, including phones, laptops and personal tablet computers,” he said.
The 24-hour experiment highlights how quickly criminal activity can sniff out and start to abuse vulnerable cloud infrastructure.
“Resources that aren’t properly secured are subject to a myriad of attacks from adversaries with different intentions,” Cashdollar said. “When connecting systems to the Internet, you must follow basic security practices to ensure your system isn’t hacked or used to attack other internet hosts.”
Docker is no stranger to security snafus and exposures. In April, an organized, self-propagating cryptomining campaign was found targeting misconfigured open Docker Daemon API ports.
And in February, a slew of misconfigured Docker container registries inadvertently exposed source code for 15,887 unique versions of applications owned by research institutes, retailers, news media organizations and technology companies.
Back in October, more than 2,000 unsecured Docker Engine (Community Edition) hosts were found to be infected by a cyptojacking worm dubbed Graboid (so-named after the sandworms in the 1990 Kevin Bacon movie, Tremors).
And last May, it was discovered that for three years, some Alpine Linux Docker images had shipped with a root account and no password, opening the door for attackers to easily access vulnerable servers and workstations provisioned for the images.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.