#Osquery on alpine Pc
The same tools that make it easy for you to manage and deploy Docker environments, and the same tools that allow you to mine for cryptocurrency yourself can also be used against you by attackers who want to hijack your environment to mine cryptocurrency for their own financial gain.Osquery is a freeware platform enabling security monitoring and analysis of the status of PC devices with Windows, macOS, Linux, and FreeBSD operating systems. Cybercriminals have an array of automated tools to scan for and detect insecure APIs and exposed vulnerabilities.
The moral of the story is don’t deploy vulnerable Docker configurations. Network capture of attack downloading Minergate Docker container
Using the Docker client from his machine the attacker was able to quickly deploy a malicious container to our instance using the same command line tools that make managing Docker easy.
#Osquery on alpine software
The software was launched with the attacker’s login information in the command line.
#Osquery on alpine download
We observed that our instances were used to download the Minergate mining software from. In real world tests of intentionally deployed vulnerable Docker configurations, we observed that our instances were compromised hours after deployment. Historical Hashrate for configured wallet Vulnerable APIs put you at risk of cryptomining Judging from his or her overall activity with Monero, we see that the attacker has been fairly successful, having mined 175 Monero (Approx $35,000 USD) from this pool. The configured wallet and pool lead us directly to activity against that wallet. Newly committed repository indicating shift to Ubuntu base OS. This particular Docker config isn’t the only thing that our attacker is working on, as of April 6, our attacker has set up new repositories, and switched his Docker base from Alpine to Ubuntu 16.04, and using the “–av=2” switch that is used for low-power mining on virtual CPUs. Github Commit changing target pool and currency from Monero to Aeon. By reviewing the commit history, we can see the attacker updating the configuration and even experimenting with different coins. This container definition leads us further to the Github repository that is used for automated builds on Docker Hub. This config is based on the commonly-used lightweight Alpine Linux base. We can’t say for sure that this specific container was used in an attack as we were not in a position to directly observe it, but we can take the user at their word, and explore what this sort of attack looks like.Īfter gaining access to the Docker server, the attacker downloaded a preconfigured coin miner directly from that was configured to mine directly to the attacker’s wallet. In some ways this falls under the “Of course, exposed API / vulnerable application gets hacked” category, but the actual delivery mechanisms leave behind some interesting artifacts. A User there reported their Docker server was compromised, and that it was used to mine cryptocurrency. One such report came via one such forum last October. There are numerous anecdotal reports on tech forums regarding compromised Docker instances. Investigating a reported cryptomining attack We will look at both of those below, and how they are used to hijack your computing resources for the attacker’s gain. These containers are often leveraged in cryptomining attacks, but there are those that are preconfigured to mine for a particular wallet, and are obviously malicious in nature. There are a number of containers available on that enable the user to easily mine cryptocurrency and those can be used to mine for both good and evil.
0 kommentar(er)
