Mirror mining worm found on [reprint] Docker Hub, has resulted in 2,000 infected hosts

Others 2019-10-29 08:40:20 views: null

Docker Hub found on the mirror mining worm infection has led to 2000 hosts

HTTPS: // www.kubernetes.org.cn/5951.html 

was going to say you can use official version of the image 

but would like to have a situation of open source software is malicious code or which one of the people angular component library before. 

Security problems do risky.

 

2019-10-19 00:12   Category: Kubernetes News / Industry News  read (539) Comments (0) 

Security firm Palo Alto Networks threat intelligence team Unit 42 found a new Graboid mining kidnapped virus, now known worm has infected more than 2,000 Docker host unsafe for mining Monero encryption currency, researchers cautioned, though the worm is not complicated mining technology program, but because he has the ability to download new scripts from C2 (Command and Control) server, it can be easily converted to blackmail any software or malware, enterprises should improve their ability to protect Docker host.

Over the past also in the form of worm to spread malicious software mining kidnapping cases, but this is the first mining kidnapped worms were found in the community version Docker, use the container to spread. The researchers said that as most traditional endpoint protection software, will not check the container resources and action, and therefore difficult to detect such malicious action.

The entire attack chain selected an insecure public network from attackers Docker daemon (Daemon) starts the execution of malicious image taken from the container to pull the Hub Docker above, and download scripts and vulnerable host server from C2 list, followed by the selection of a next target to spread the worm. Graboid will be mining and spread worms in the container, each iteration Graboid randomly selected three goals, the first goal of installing the worm, the second stop miners operational goals, and start the miners on the third goal, such a mechanism so that mining activity has become very random.

That is, when the victim host is infected, the malicious container and does not start immediately, have to wait for another signal of the infected host mining program will be activated, and mining are the hosts also received other random infected host a stop signal of mining. Each miner infected by a host of other infected hosts stochastic control, the researchers said they do not know the motivation of this randomized controlled design, because in order to avoid detection point of view, such a mechanism of poor results, more there may be a poor design or other purposes.

Unit 42 was simulated, the ability to understand the whole worm mining, including worms spread of speed, as well as each miner average activity on the infected host time, the researchers noted, in order to test the scale of 2,000 hosts, worms it takes about 60 minutes, which can infect vulnerable hosts 1,400, due to the miners on the infected host random to start and stop the mining act, each miner about only 65% ​​of the time in an active state, each miner mining cycle The average lasted only 250 seconds.

The research team analyzed the host list used by the worm, which contains 2,034 units vulnerable hosts, 57.4% of IP from China, and 13 percent in the United States, in 15 C2 server Graboid used, the host of which columns in the list 14 units, which means that the attacker controls the susceptible host Docker daemon, install a web server on top of the container, and malicious carrier on top.

Graboid will be used to attack the Docker mirror pocosow / centos has been downloaded more than ten thousand times, but gakeaws / nginx has been downloaded 6,500 times, Unit 42 found gakeaws also released another mining kidnapping mirror gakeaws / mysql, its content and gakeaws / same nginx. However, these harmful images, the researchers were after contact with Docker team, they have all been removed.

The researchers warned that if no appropriate authentication mechanism, companies should not be exposed to Docker daemon on the public network, and in fact, by default, Community Edition is not exposed Docker Docker's daemon. Enterprises should use Unix Socket to communicate with local Docker daemon, or use SSH to connect the remote Docker daemon.

It should be noted enterprise firewall whitelist rules defining the source of the incoming traffic, and not pull from an unknown image Docker registry or unknown use of space, which usually also periodically check the system is unknown or image container, also You can use cloud security solutions, identification of malicious container.

Reference: https: //www.ithome.com.tw/news/133655

Guess you like

Origin www.cnblogs.com/jinanxiaolaohu/p/11741834.html
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com