Cyber security news for all

More

    Cybercriminals Exploit Docker API Servers for SRBMiner Crypto Mining Attacks

    Cybersecurity researchers from Trend Micro have uncovered a nefarious scheme in which cybercriminals are targeting vulnerable Docker remote API servers to infiltrate systems and deploy the SRBMiner crypto miner. These actors are using advanced techniques to evade security protocols, specifically by leveraging the gRPC protocol over h2c, a combination that allows them to bypass traditional safeguards and exploit Docker hosts for illegal cryptocurrency mining operations.

    According to researchers Abdelrahman Esmail and Sunil Bharti, the attack begins with the malicious actor conducting a reconnaissance phase, where they identify Docker API servers that are publicly exposed and capable of upgrading connections to the h2c protocol (HTTP/2 without TLS encryption). This initial discovery is followed by attempts to manipulate Docker functionalities through various gRPC methods, which can manage several tasks within the Docker environment, including health checks, file synchronization, authentication, and more.


    Execution of the Attack

    Once the target server accepts the connection upgrade request, the attacker initiates a /moby.buildkit.v1.Control/Solve gRPC request to create a Docker container. From there, they inject the SRBMiner payload—hosted on GitHub—to initiate unauthorized cryptocurrency mining, specifically focusing on mining XRP cryptocurrency. The malicious actors effectively sidestep multiple security layers by utilizing gRPC over h2c, which creates a loophole through which the SRBMiner crypto miner can operate undetected.

    In a parallel campaign, Trend Micro has observed a rise in attacks that exploit Docker’s remote API servers to deploy malware, including a strain known as perfctl. In these attacks, the threat actors craft Docker containers using an image like "ubuntu:mantic-20240405", while executing a Base64-encoded script designed to install further malware onto the compromised host. One particularly insidious payload disguises itself as a PHP file named “avatar.php”, delivering a malicious binary called “httpd” to further obfuscate its activities, echoing findings from Aqua Security in earlier reports.


    Mitigation and Recommendations

    As Docker environments become an increasing target for cybercriminals, it is crucial for organizations to reinforce the security of their remote API servers. Strong access controls, multi-factor authentication, and stringent monitoring for suspicious activities are highly recommended to thwart unauthorized access. Additionally, adhering to container security best practices, such as limiting exposed endpoints and ensuring comprehensive logging, can significantly reduce the likelihood of these attacks succeeding.

    This latest wave of attacks highlights the growing sophistication of adversaries exploiting Docker ecosystems for illicit cryptocurrency mining, underscoring the need for a proactive defense approach within cloud infrastructure.

    Recent Articles

    Related Stories