The Gafgyt malware (often referred to as Bashlite or Lizkebab) has expanded its attack scope by targeting publicly exposed Docker Remote API servers.
Gafgyt malware, also known as Bashlite, and Mirai have targeted millions of vulnerable IoT devices in recent years. The new finding of this malware attacking Docker Remote API servers indicates a significant change in its behavior.
To spread the malware, the attackers, in this instance, created a Docker container based on a legitimate “alpine” Docker image and targeted publicly accessible misconfigured Docker remote API servers.
In addition to deploying Gafgyt malware, the attackers deployed Gafgyt botnet malware to infect the victim. The attacker might initiate a DDoS attack on the targeted servers upon deployment.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
How Attackers Exploit Exposed Docker Remote API Servers?
Trend Micro reports that the attacker initially attempted to install the Rust-written Gafgyt botnet binary, named “rbot,” in a Docker container created via the “alpine” docker image.
The attacker is utilizing “chroot” to modify the container’s root directory to “/mnt” and the “Binds”:[“/:/mnt”] option. With this command, the attacker mounts the host’s root directory (/:) to the container’s /mnt directory.
With this command, the container can access and change the host’s filesystem as if it were part of its own. The attacker may be able to take over the host machine and increase privileges by doing this.
When the malicious bot successfully communicates with the C2 server, it parses the response and uses HTTP, TCP, and UDP to execute a DDoS attack.
If the attacker was unable to create a container after the container creation request failed, they attempted to deploy another container using a different Gafgyt binary but still based on the same Alpine Docker image.
Researchers say that the code uses Google’s DNS server 8.8.8.8 as a target IP to decide which local IP address and network interface the system will utilize for outgoing communication.
Once the socket is created and a connection is attempted, the local IP address of the interface that will be used to communicate with Google’s DNS server is obtained
Recommendation
- Protect Docker Remote API servers from unauthorized access by setting robust access restrictions and authentication procedures in place.
- keep an eye on Docker Remote API servers for any odd behavior.
- Adopt standard practices for container security, including avoiding “Privileged” mode and thoroughly checking container images and configurations before deployment.
- Keep yourself updated on Docker and related software security fixes and updates.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar