Vulnerable Docker issue

ascicode

https://thehackernews.com/2024/01/new-docker-malware-steals-cpu-for.html

Interesting information, but is it legit?

JabJab

The exact method used to spread the malware to vulnerable Docker hosts is currently unclear, but it's suspected to involve the use of search engines like Shodan to scan for prospective targets.

Much wow. Much details.

Why do I have a feeling it will end like last years NPM Typosquatting Malware and in theory it's gonna be user fault?

The containers are deployed on the vulnerable Docker host over the Internet by an attacker-controlled server. Cado Security have been unable to obtain a copy of the spreader, however can speculate that the attacker discovered the honeypot via a service like Shodan.

jar

I mean you’re either going to have to get into the box first, or you’re going to need to have a port exposed to a service that allows some control of docker on the system. I don’t see someone with only 22/80/443 open being exposed to this kind of theoretical attack unless they get in 22, or what’s running the app on 80/443 has a high enough permission level and allows a code execution attack (or allows a code execution attack + is vulnerable to privilege escalation).

lowenduser1

$ cat .html | grep 9Hits | wc 
8

amount of valuable info: 0
sum: shitpost

Hotmarer

This type of exploit is just docker API without authentication on public IP.
A very known problem. Even described in the docker documentation.
https://docs.docker.com/engine/security/#docker-daemon-attack-surface

0xC7

This type of exploit is just docker API without authentication on public IP.

Somehow I'm too afraid exposing docker container running with --cap-add options (especially NET_ADMIN NET_BIND_SERVICE NET_RAW ) to public

emgh

I like Docker

emgh

Therefore I use Docker

theraw

exposing docker daemon via tcp 2375 can get ur server fked
ppl can send api calls to launch a container with anything.

same thing happened to me few years ago using https://github.com/ehazlett/shipyard
the developer was exposing docker api on public port unsecured for no reason even when not using any remote node. docker was new back then i had no idea of this api part and when i reported to his github repo he said this is normal 😂

yoursunny

@0xC7 said:

This type of exploit is just docker API without authentication on public IP.

Somehow I'm too afraid exposing docker container running with --cap-add options (especially NET_ADMIN NET_BIND_SERVICE NET_RAW ) to public

docker run --priviledged -p 23 secobau/telnetd
YOLO

kait

@JabJab said:

The exact method used to spread the malware to vulnerable Docker hosts is currently unclear, but it's suspected to involve the use of search engines like Shodan to scan for prospective targets.

Much wow. Much details.

Why do I have a feeling it will end like last years NPM Typosquatting Malware and in theory it's gonna be user fault?

The containers are deployed on the vulnerable Docker host over the Internet by an attacker-controlled server. Cado Security have been unable to obtain a copy of the spreader, however can speculate that the attacker discovered the honeypot via a service like Shodan.

You dont want to know how many hosts have the docker controll port open to the public, so you just spin up a container on their server and you're done.