[WARNING] Cryptojacking via infected Docker containers.

[satscraper]

Heads up to crypto users.

Stay vigilant!

The whole scheme looks like the following:

Attackers can exploit a poorly secured Docker API to gain access to containers and infect them. Once the given container is compromised, it starts creating additional "zombie" containers, which continue to spread the infection. The attackers take control of these containers using them for cryptocurrency mining and launching attacks to infect other systems and networks. This creates the self-replicating cycle where each new infected container contributes to the rapid growth of the attack.

For those with more technical background, feel free to read  the specifics over there.

[ABCbits]

Since i notice docker is fairly popular option to run self-hosted Bitcoin node and other Bitcoin program, people also should know that Docker have major security implication. As explained on https://unix.stackexchange.com/a/607852, anyone who can access docker effectively have root (a.k.a. admin) access.

[Mia Chloe]

~snip

Thumbs up for sharing. The really tricky part is that once they're in, your computer becomes a "zombie" that then helps spread the infection to other machines creating a growing network of hijacked systems. I think one way to keep this from happening is making sure your Docker system isn't directly exposed to the internet and using firewalls to block unwanted connections.

Second we should try to not don't give out spare keys and only use software from trusted sources and ensure your applications have just enough power to do their job, no more but this is kinda almost practically impossible though.

[Cricktor]

For above shown infection path to work, a victim has to expose his Docker API in an insecure manner to the network/internet. And frankly I don't know why anybody would want to do this in an insecure way at all. You're asking for trouble if you allow uncontrolled access to your Docker API for strangers over the internet. Don't do this!

Before reading the linked article, my preemptive thoughts were: who runs unverified or shady containers? But then I saw, that's not the main problem here.

[tech30338]

This is why even when i'm making a staging, or lamp always make things secure or check ports that are open, you can never be sure this days, even a secure network can be compromise, because hackers always find a way, the diagram shows how computers are being infected by worms in the network.

[mocacinno]

Since i notice docker is fairly popular option to run self-hosted Bitcoin node and other Bitcoin program, people also should know that Docker have major security implication. As explained on https://unix.stackexchange.com/a/607852, anyone who can access docker effectively have root (a.k.a. admin) access.

The solution is already in the stackexchange discussion: podman... Podman can run under an unprivileged user. You can even go as far as creating multiple unprivileged users and have each user run it's own container (eventough i did not test this setup myself).

[Mia Chloe]

For above shown infection path to work, a victim has to expose his Docker API in an insecure manner to the network/internet. And frankly I don't know why anybody would want to do this in an insecure way at all. You're asking for trouble if you allow uncontrolled access to your Docker API for strangers over the internet. Don't do this!

The truth is no one will want to get hacked and no one will knowingly want to grant these permissions when they are fully aware of the harm it will do to their computer. This is basically the reason why you see instead they target newbies. Most people are fond of hitting the yes button on any site granting permissions easily.
Out of carelessness sometimes they don't even bother to read through the whole thing they just hit Grant permission or yes as the case may be same way people fail to read terms and conditions.

[cryptoaddictchie]

Will this kind of attack also been used by AI system and fragmented node running. Ive been into alts and theres a lot of AI progress project that let the users use docker installation in the process. Im not quite familiar with it but if this also possible theres a lot of potential risk of being exposed to scammers scheme.

[ABCbits]

Since i notice docker is fairly popular option to run self-hosted Bitcoin node and other Bitcoin program, people also should know that Docker have major security implication. As explained on https://unix.stackexchange.com/a/607852, anyone who can access docker effectively have root (a.k.a. admin) access.

The solution is already in the stackexchange discussion: podman... Podman can run under an unprivileged user. You can even go as far as creating multiple unprivileged users and have each user run it's own container (eventough i did not test this setup myself).

Yeah, i've read the solution mentioned on link i included. But podman (along with docker rootless mode) isn't popular enough where AFAIK it's rarely mentioned outside security discussion.

[DYING_S0UL]

This may seem like a stupid question but what is this docker API and where is it used? I have been a PC user for years but this is the first time I am hearing of such things. Or maybe it could be that I never tried to explore advance options resulting my unawareness of it. Another question how does the first compromise happens? The user has to execute the executable file right? I believed (still do), no malwares can infect the system on it's own. The user has to run it no matter what for it to spread! I could be wrong though, correct me if that's the case..

[Cricktor]

Another question how does the first compromise happens? The user has to execute the executable file right? I believed (still do), no malwares can infect the system on it's own. The user has to run it no matter what for it to spread! I could be wrong though, correct me if that's the case..

Regarding the Docker API, I'm probably at the same level as you. I use Docker a bit, can't say, I'm very experienced. I would have to dig up details why and how to expose Docker API for remote access. I'm pretty sure this isn't something that's available by default. That would be crazy... not that there're other crazy things out there by default. 

For first compromise I can imagine different scenarios, by no means complete:

• execution of an unchecked and already compromised and/or malicious container
• what you already proposed: execution of malware to infect a system by careless user on target system
• possibly zero-day or simply unpatched vulnerability which allows unattended RCE (remote code execution) on target system.
  This would allow to compromise a system without any user interaction (worst case).

I'm just listing the very obvious. I'm no malware researcher, I'm just curious and interested in this field to gain knowledge on how to protect myself and my devices.

[DYING_S0UL]

Another question how does the first compromise happens? The user has to execute the executable file right? I believed (still do), no malwares can infect the system on it's own. The user has to run it no matter what for it to spread! I could be wrong though, correct me if that's the case..

Regarding the Docker API, I'm probably at the same level as you. I use Docker a bit, can't say, I'm very experienced. I would have to dig up details why and how to expose Docker API for remote access. I'm pretty sure this isn't something that's available by default. That would be crazy... not that there're other crazy things out there by default. 

I'm just listing the very obvious. I'm no malware researcher, I'm just curious and interested in this field to gain knowledge on how to protect myself and my devices.

I still can't figure what the hell is this docker API. Googled a bit and asked Chatgpt what is was and he give me some high level technical stuff which went over my head. I guess this thing is for advance users only. Not my cup of tea. Btw since it isn't visible by default and I saw you saying, "a victim has to expose his Docker API in an insecure manner to the network", does that mean those who doesn't mess up with these parts/settings are somehow immune to this? right!? I mean I can't even intentionally or unintentionally expose myself, as I don't know how or where to, I never go that deeper. 

[Cricktor]

~~~

As far as I understood the not deeply explained "mechanics" of this infection pathway, dudes like we, who use Docker in a non-remotely accessible manner, are safe and immune to be infected by an already infected device.

This Docker API e.g. allows to install or change containers from the remote side which can talk to the target's Docker via exposed API. An infected machine replaces or installs an infected container via this Docker API. Then the newly infected target device becomes a new infection spreader. It's like a malicious worm.

AFAIR the article didn't mention anything about if the exposed Docker API was somehow access protected like with login credentials or similar. I can't wrap my head around if this exposed API has no access control at all. That would be insanely dumb in my opinion.

Regarding my Docker stuff, I'm relaxed.

[l3pox]

For above shown infection path to work, a victim has to expose his Docker API in an insecure manner to the network/internet. And frankly I don't know why anybody would want to do this in an insecure way at all. You're asking for trouble if you allow uncontrolled access to your Docker API for strangers over the internet. Don't do this!

Before reading the linked article, my preemptive thoughts were: who runs unverified or shady containers? But then I saw, that's not the main problem here.

the only way to be exposed is to be a docker user and expose the API or there are other attack vectors too?
asking because it is interesting to know about the problems and vulnerabilities but it's even better knowing how to protect against them and have a safe digital environment

does it make sense?