Dec 30, 2021
59 Views
0 0

Cryptomining Attack Exploits Docker API Misconfiguration Since 2019

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Campaign exploits misconfigured Docker APIs to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency.
Hackers behind a cryptomining campaign have managed to avoid detection since 2019. The attacks exploited misconfigured Docker APIs that allowed them to gain network entry and ultimately sets up a backdoor on compromised hosts to mine cryptocurrency, researchers said.
The attack technique is script-based and dubbed “Autom”, because it exploits the file “autom.sh”. Attackers have consistently abused the API misconfiguration during the campaign’s active period, however the evasion tactics have varied  – allowing adversaries to fly under the radar, wrote Aquasec’s research arm Team Nautilus in a report published Wednesday.
Attackers hit honeypots set up by Team Nautilus 84 times since 2019, with 22 attacks in 2019, 58 in 2020, and four in 2021 before researchers began writing up their report in October, researchers said. Researchers also report attacks on honeypots decreased significantly this year, while overall targeting of poorly configured Docker APIs did not, according to a Shodan search, researchers noted.
“This decrease in attacks on our honeypots might imply that the attackers identified them and therefore reduced the volume of their attacks in 2021,” they wrote.
Though attackers use the same entry point and tactics to achieve their ultimate goal of cryptomining during the attack vector, what changed most about the attack over the years is how threat actors constantly have evolved evasive maneuvers to avoid detection, researchers said.
“We saw the progression of the campaign in the tactics that the adversaries use to avoid detection,” they wrote in the report.
Attackers also have used five different servers to download the shell script that initiates the attack since they started, they said. “It seems that the group behind the attack has developed their skills to expand the attack surface and spread their attack,” researchers wrote.
Team Nautilus first observed the attack in 2019 when a malicious command was executed during the run of a vanilla image alpine:latest, which downloaded the autom.sh shell script, they said in the report. Adversaries commonly use vanilla images along with malicious commands to perform attacks because most organizations trust these images and allow their use, researchers explained.
Attackers consistently have used the same entry point for the attack, which is executed from a remote server that searches for vulnerable hosts to exploit misconfigured Docker APIs, they wrote.
Then they run the vanilla image and subsequent malicious shell, which creates a user by two methods—adduser, which adds users by setting up the account’s home folder and other settings, and useradd, a low-level utility command for adding users–under the name akay.
Since the newly created user is not privileged, the threat actors elevate privileges by using the “sudo” prefix and then turns it into a root user, which grants unlimited privileges to run any command sudoers file. This controls how sudo works on a targeted machine, basically making the threat actor a superuser, researchers wrote.
Attackers then use the domain icanhazip[.]com to get the public IP address of the compromised host and use it to download a file from the remove server. Through these series of steps, attackers install a backdoor that grants them persistence on the compromised host to stealthily mine cryptocurrency, researchers wrote.
While attackers have barely changed how they gain entry and achieve persistence on victims’ machines since they started the Autom campaign, they have changed two things–the server from which the shell script autom.sh was downloaded and, more notably, specific evasion tactics, researchers said.
To the latter point, Team Nautilus has observed the campaign evolving from having no “special techniques” for hiding its nefarious business in 2019 to adding more complex concealment tactics over the next two years, researchers said.
In 2020, they disabled a number of security mechanisms to stay hidden, including ufw (Uncomplicated Firewall), which enables users to allow or deny access to a service and NMI (non-maskable interrupt), which is the highest-priority interrupt that typically occurs to signal attention for non-recoverable hardware errors and is used to monitor system resets.
This year, attackers added a new technique to hide the cryptomining activity by downloading an obfuscated shell script from a remote server, researchers said.
“They encoded the script in base64 five times to prevent security tools from reading it and understanding the intentions behind it,” they wrote. “Decoding the script revealed the mining activity.”
Other concealment capabilities added over the course of the campaign included downloading the log_rotate.bin script, which launches the cryptomining activity by creating a new cron job that will initiate mining every 55 minutes on the compromised host, researchers added.
“The Autom campaign illustrates that attackers are becoming more sophisticated, continually improving their techniques and their ability to avoid detection by security solutions,” they observed.
Share this article:
Here’s what cybersecurity watchers want infosec pros to know heading into 2022.  
The year wasn’t ALL bad news. These sometimes cringe-worthy/sometimes laughable cybersecurity and other technology stories offer schadenfreude and WTF opportunities, and some giggles.
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain. 


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
2 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Cloud Security

Comments are closed.