Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro.
Key Points:
Attack Details:
• Used the gRPC protocol over h2c to evade security solutions and execute crypto mining on Docker hosts.
• Initial steps involved checking the Docker API version and requesting gRPC/h2c upgrades to manipulate Docker functionalities.
•
Exploitation by Cybercriminals:
• Conducted a discovery process for public-facing Docker API hosts and HTTP/2 protocol upgrades.
• Sent gRPC requests to create containers and mine XRP cryptocurrency using SRBMiner.
Impact and Risks:
• Leveraged the gRPC protocol over h2c to bypass security layers.
• Also observed deploying perfctl malware using Docker containers, which includes a Base64-encoded payload masquerading as a PHP file.
Defense Strategies:
• Implement strong access controls and authentication mechanisms for Docker remote API servers.
• Monitor for unusual activities and follow container security best practices.