A DDoS (Distributed Denial of Service) attack floods a target system with massive traffic.
Hackers use networks of compromised computers (botnets) to generate massive traffic, disrupting the target’s normal functioning by overloading its resources. The goal is to make a website or online service inaccessible to legitimate users.
Cybersecurity researchers at Cado Security Labs recently reported to Cyber Security News that they have discovered a new campaign that uses vulnerabilities in the Docker Engine API to spread a malicious container dubbed OracleIV (Aka “oracleiv_latest”) by taking advantage of misconfiguration errors.
The Python malware in the malicious container functions as an ELF executable DDoS bot agent, able to carry out a variety of attack techniques.
Dockerised Botnet DDoS Attack
Repeated targeting of Docker Engine API for initial access is a growing trend, often for cryptojacking malware delivery.
Unintentional API exposure is common, with various campaigns scanning for it. The prevalence isn’t surprising due to the rise of microservice architectures.
Once a valid endpoint is found, launching a malicious container becomes effortless, especially when hosted on Dockerhub.
Attackers initiate access with an HTTP POST request to Docker’s /images/create endpoint, pulling an image from Dockerhub.
Once done, after they use a container, start the command to spawn it. In a recent case, the attacker pulled ‘oracleiv_latest’ from Dockerhub, uploaded by user robbertignacio328832, with over 3,000 pulls and ongoing iterations.
Besides this, the user “robbertignacio328832” added MySQL Docker image description on Dockerhub, hiding malicious payload commands like retrieving “oracle.sh” ELF executable in image layers.
Here below we have mentioned three RUN commands that are executed by the Image layer for the following purposes:-
For malicious payload (Source – Cado Security)
For xmrig miner (Source – Cado Security)
For miner configuration file (Source – Cado Security)
Apart from this, researchers also reveal the 64-bit ELF with Cython-compiled Python code, containing functions with “CyFunction” in the name.
Here below we have mentioned all the functions that were identified:-
- bot.main
- bot.init_socket
- bot.checksum
- bot.register_ssl
- bot.register_httpget
- bot.register_slow
- bot.register_five
- bot.register_vse
- bot.register_udp
- bot.register_udp_pps
- bot.register_ovh
The bot connects to the C2 server at 46.166.185[.]231:40320, authenticates with hardcoded password “n3tg34rp0wn3d,” and incorrect key results in an offensive reply.
After authentication, C2 sends “routine ping, greetz Oracle IV” due to a programming abnormality. Besides this, the Cado Security Labs monitored the botnet performing DDoS attacks on targets with the following types of floods:-
DDoS capabilities
Here below we have mentioned all the DDoS capabilities that the botnet has:-
- UDP
- UDP_PPS
- SSL
- SYN
- HTTPGET
- SLOW
- FIVE
- VSE
- OVH
Recommendations
OracleIV highlights attackers exploiting misconfigured Docker API for initial access. Container portability lets malicious payloads run uniformly across hosts.
Cado already reported OracleIV to Docker, and researchers urged Dockerhub users to follow the following recommendations:-
- Always be cautious of malicious images.
- Make sure to check images for safety.
- Regularly assess pulled images for potential malicious code.
- Always review and defend against misconfigured internet-facing services like Jupyter, Redis, etc.
IOCs
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.