GP - Fotolia

Attackers find new way to exploit Docker APIs

Aqua Security released research detailing a new tactic where the attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host.

Attacks against container infrastructure have evolved, according to new research by Aqua Security.

While the exploitation of misconfigured Docker APIs is nothing new, threat actors are now building and running malicious container images on the vulnerable host. Aqua's cyber security researchers, the Nautilus Team, published a blog on Wednesday detailing a new type of attack against Docker container infrastructure.

"The attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. As far as we know, this is the first time that an attack in which the attacker builds an image rather than pulling it from a public registry is observed in the wild," Nautilus wrote in the blog.

Attackers find new way to exploit Docker API

While the researchers did not observe the attack in real time, a honeypot captured the attack in real time and provided recordings that they analyzed postmortem, said Aqua Security lead data analyst Assaf Morag.

"We've only seen this type of attack occur once, so this was a single attack," Morag said. "Nevertheless, we see a lot of attacks in this environment so we have kind of a baseline to how these attacks occur and how these attacks happen in the wild."

In this single attack, "the attacker did not pull an image from a remote source, but built it directly on the targeted host in order to bypass these defense mechanisms. Additionally, the attacker can thus increase the persistency of his infrastructure by building it directly on the host," Nautilus wrote in the blog.

The main concern is that this new tactic prevents hosts from reporting the malicious images to a public registry, such as Docker Hub.

"In all previous attacks, they used to pull the image from a public registry, from Docker Hub, which is a public space," said Idan Revivo, Aqua's head of cybersecurity research. "What happens then, when we detect this type of threat, we alert Docker Hub to tell them this is a malicious image. Now, they are building the malicious image directly on the host machine, so there's no public space that you can scan."

Normally, the Nautilus team scans Docker Hub daily to collect and find malicious images.

"If they build it on the host, we won't find it and we can't tell authorities this is a malicious image," Revivo said.

According to the blog post, "the image was built directly on the targeted host and executed a resource hijacking attack by using a cryptominer." Cryptomining is the most popular attack method for containers, Morag said.

There's three main impacts that we see from these attacks, but the most prominent is cryptomining. Basically, they are trying to monetize the attack to get as much as they can.
Assaf MoragLead data analyst, Aqua Security

"There's three main impacts that we see from these attacks, but the most prominent is cryptomining," Morag said. "Basically, they are trying to monetize the attack to get as much as they can. The main motivation is money."

Most of the attacks that Nautilus researchers have observed in the wild -- including this newer one -- are done by opportunistic threat actors.

"They are just trying to make money as fast as possible before they get discovered," Revivo said. "But it boils down to the attacker. If someone is targeting a company, I don't know if this is the best way to get in that direction."

Threats increase against Docker APIs

Morag has observed the evolution of exploits against the Docker container infrastructure. He said he found that threat actors are hiding more attacks, as well as making them more consistent.

"In this case, the focus is on a new tactic. If you build it directly on the host machine then it's much harder to take down, much harder," Morag said. "You can't blocklist the image so it's harder to detect."

Another new risk of this tactic is a threat actors' ability to add randomization.

"Because the image is built on the host machine, you won't be able to get it from an intel feed, which most security products have," Revivo said. "In addition, they can also add some randomization into the build process, which will make any image have different IP. So, that means there won't be two identical images so blocklist method or static scanning won't help with this attack."

In addition to not exposing Docker APIs, there are other fixes.

"A better approach is to look at the broader picture and use a Dynamic Threat Analysis (DTN) scanner to scan basically your entire Docker registry or server to understand the threats and hidden risks that not only stem from a misconfigured Docker API, but other ways that attackers can attack the organization or exploit this kind of environment," Morag said.

In the vulnerable API example, threat actors have already pushed it in the environment, but users can still scan with the DTN to see what the goal is, Revivo said.

While there are multiple risks to this new exploitation threat, it does not require a more sophisticated attacker.

"It is more technical than just pulling an image, but it's not too technically complex," Revivo said. "I think it is definitely something smart to do because if you can't detect malicious images, then you can't report it."

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing