Cybercriminals have launched attacks against Docker APIs in the past but now they’re building and running malicious container images on the host according to a new report from Aqua’s Nautilus Team.
In a blog post detailing the discovery, lead data analyst at Aqua Security, Assaf Morag explained that this is the first time the firm has observed attackers building their own images as opposed to using ones from a public registry, saying:
“The attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. As far as we know, this is the first time that an attack in which the attacker builds an image rather than pulling it from a public registry is observed in the wild.”
Building images directly on a targeted host
What sets this recent attack against Docker APIs apart from previous ones is the fact that the “the attacker did not pull an image from a remote source” but instead chose to build the image directly on the targeted host in an effort to bypass defense mechanisms. This also allows the attacker to increase the persistency of their infrastructure by building it directly on the host.
This new tactic is quite concerning as it prevents hosts from reporting malicious images to Docker Hub or other public registries. Aqua and others companies like it scan these registries frequently in order to find and collect malicious images used by hackers.
According to Morag’s blog post, the image built directly on the host was used to execute a resource hijacking attack by using a cryptominer and cryptomining is the currently the most popular attack method used for containers.
Although this new tactic does require a bit more work, it is not too technically complex and can be carried out by less skilled hackers.