Misconfigured Cloud Servers Targeted with Linux Malware for New Cryptojacking Campaign (cadosecurity.com) 16
Researchers at Cado Security Labs received an alert about a honeypot using the Docker Engine API. "A Docker command was received..." they write, "that spawned a new container, based on Alpine Linux, and created a bind mount for the underlying honeypot server's root directory..."
Typically, this is exploited to write out a job for the Cron scheduler to execute... In this particular campaign, the attacker exploits this exact method to write out an executable at the path /usr/bin/vurl, along with registering a Cron job to decode some base64-encoded shell commands and execute them on the fly by piping through bash.
The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."
The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.
It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]
"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."
The vurl executable consists solely of a simple shell script function, used to establish a TCP connection with the attacker's Command and Control (C2) infrastructure via the /dev/tcp device file. The Cron jobs mentioned above then utilise the vurl executable to retrieve the first stage payload from the C2 server... To provide redundancy in the event that the vurl payload retrieval method fails, the attackers write out an additional Cron job that attempts to use Python and the urllib2 library to retrieve another payload named t.sh
"Multiple user mode rootkits are deployed to hide malicious processes," they note. And one of the shell scripts "makes use of the shopt (shell options) built-in to prevent additional shell commands from the attacker's session from being appended to the history file... Not only are additional commands prevented from being written to the history file, but the shopt command itself doesn't appear in the shell history once a new session has been spawned."
The same script also inserts "an attacker-controlled SSH key to maintain access to the compromised host," according to the article, retrieves a miner for the Monero cryptocurrency and then "registers persistence in the form of systemd services" for both the miner and an open source Golang reverse shell utility named Platypus.
It also delivers "various utilities," according to the blog Security Week, "including 'masscan' for host discovery." Citing CADO's researchers, they write that the shell script also "weakens the machine by disabling SELinux and other functions and by uninstalling monitoring agents." The Golang payloads deployed in these attacks allow attackers to search for Docker images from the Ubuntu or Alpine repositories and delete them, and identify and exploit misconfigured or vulnerable Hadoop, Confluence, Docker, and Redis instances exposed to the internet... ["For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host," the researchers writes.]
"This extensive attack demonstrates the variety in initial access techniques available to cloud and Linux malware developers," Cado notes. "It's clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments."
This is a concern about Docker/Kubernetes... (Score:5, Interesting)
One concern that is always notable is how secure the control plane is. Containers could be airtight, and VMs can be inescapable, but if the control plane allows bad guys to spawn containers, this pretty much creates a PC on the network that can be used for C&C, a base for hacking from, or any number of items, even just mining crypto.
What would be ideal is a hypervisor based AV system, but that may be too much of a heavyweight for someone's desktop PC that uses Docker, and wouldn't be possible in a Kubernetes environment.
Re:This is a concern about Docker/Kubernetes... (Score:4, Insightful)
But the revolutionary brand new never seen before technique used here is to pipe base64-encoded to bash! /s
Re:This is a concern about Docker/Kubernetes... (Score:4, Informative)
Containers are a really bad trade-off with regards to security. Sure, easy to use, fast to deploy, but impossible to secure. No surprise to any experienced engineer though: Containers increase complexity by a lot and complexity is _the_ primary enemy of security and reliability. Those that disrespect KISS shall never have secure or reliable systems.
Re: (Score:2)
What is ironic to me is how a lot of businesses want to use Kubernetes and Docker for persistent "pet" VMs. That can work, but there are so many layers of complexity, and Kubernetes doesn't do live migrations. Not everyone needs a the abstraction that Kubernetes gives.
This is one thing VMWare has down pat. It is relatively simple, and has an excellent control plane for "pet" VMs. For most companies, this is all they need. Stuff like OpenShift might be good for a cluster where the frontend app is often
Re: (Score:2)
Well, VMWare is a has-been. Broadcom will milk them for all they can and then discard the broken shell that will be left.
But the whole "container" idea is mostly broken. It works fine for experiments that do not run long, but that is essentially it. Why people try to solve their problems that stem from complexity they cannot manage by going for even more complexity is really beyond me. I can only conclude they have absolutely no clue what they are doing and unquestioningly listen to empty vendor vendor prom
Re: (Score:2)
I'm hoping for something like Proxmox to become VMWare's replacement. Right now, Proxmox has a lot of promise, but doesn't have the support tiers an enterprise needs, last time I checked, and doesn't have the app support. If Veeam doesn't support it, it isn't an option in most places, even though Proxmox does have its own backup capabilities. Hypervisors are becoming solid, but a scalable control plane is something that is very much needed. Something that supports stuff like snapshots, live migration, m
Re: (Score:2)
... and there isn't much left in the hypervisor market.
Which means it was foolish to ever rely on that market anyways.
Re: (Score:2)
xcp-ng + Xen Orchestra
https://xcp-ng.org/ [xcp-ng.org]
https://xen-orchestra.com/ [xen-orchestra.com]
Re: (Score:2)
XCP is awesome, coming from Xen, which was a tried and true hypervisor, but they need to get their SLAs for support up a bit to compete with VMWare. The SLA and customer support items are what keeps XCP-ng and Proxmox out of the big boy datacenters.
Of course, third parties, but this is why people need to yell at Veeam, Nakivo, Commvault and other third party app makers to have support for these hypervisors. Otherwise, we are left with VMWare, sort of going away, Hyper-V, which for a lot of businesses mean
Re: (Score:2)
>"Of course, we can't forget Red Hat. They had a truly awesome virtualization with oVirt/RHEV, but tossed it for OpenShift"
We actually started with oVirt and dumped it for XCP/XO. It seems considerably more feature-packed, stable, and performant. The main thing it seems to be missing is a stable, available, free, and open hyperconverged storage option. But they are working on it. I think they essentially dumped (or are dumping) glusterfs for DRDB. Not everyone has or wants to use a NAS/SAN.
https://x [xcp-ng.org]
Re: (Score:2)
It is good to have HCI with Linux, and something not glusterFS. I've also seen interest in Ceph, which surprised me, as I thought Ceph was a filesystem only, until I saw people using it via block protocols like iSCSI, FC, and others.
A traditional three tier system (SAN/network/compute) is a solid way to run things, but having the ability to spec servers with some SSD and then use that as part of a cluster can greatly help things, be it VM storage, or perhaps a way to do disk-to-disk backups at the drive fa
Re: (Score:2)
Exactly. Having choices is wonderful. Not everyone has the same equipment or needs or approaches. We had some bad experiences with oVirt and glusterFS. Perhaps it was because we didn't do things right, or had something misconfigured, but it soured the experience a lot. And now, of course, RedHat anything is poison so I am glad to be rid of oVirt. But I miss the utility of glusterFS.
Another thing I would like to see.... Live migration from one host to another, all using local storage on each is just a
Better than the originals??? (Score:1)
What's the misconfiguration? (Score:4, Interesting)
So... What was actually misconfigured to allow this to happen? I mean if someone is able to run the docker the command in the first place, you're already hosed.
Re: (Score:3)
I mean if someone is able to run the docker the command in the first place, you're already hosed.
Obviously so. But many people are in denial about containers. Same as any "hype" tech, they expect it to finally solve all their problems and make them not suck at things. That never pans out. But usually you find some assholes that are getting rich or richer off the empty promises.
Re: (Score:2)
Yeah ... too much detail for a nerd site I guess.