So, what is “cryptojacking”, how does it relate to Docker, and why should you care? First, let’s define some terms; Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency and Docker is a tool designed to make it easier to create, deploy, and run applications by creating containers for individual services.
Earlier this week, Bad Packets published a report on their Twitter about a new type of attack they’d identified over the last few days. This attack starts by simply scanning ports typically associated with Docker services, 2375/tcp, 2376/tcp, 2377/tcp, and 4243/tcp. If any of those ports are found to be open to the outside world, the attacker then tries to access the path “/v1.16/version” at each of those ports. If the attacker receives a response to that request, it’s a clear indication that the Docker service’s API is exposed to the internet.
For any hosts which have this API exposed, the attacker then sends a request to that API, telling that Docker daemon to start a new container. That new container is simply an Alpine Linux container, with a modified start command which directs the container to download a file, pipe it to bash, then chroot to run the resulting code. This code, among other things, runs a CPU based CryptoNight miner known as xmrig in that Docker container. For those unfamiliar, CryptoNight is the hashing algorithm used by many cryptocurrencies, but, most notably, by Monero. This CPU mining container will be ran with no limits on its CPU or RAM usage; eventually using any and all available CPU resources on the host to mine for cryptocurrency for the attacker.
Obviously, this is an attack we would rather avoid if at all possible. Compute resources are expensive, power to run those resources is not free, and this type of attack could easily cause resource contention issues within your current dockerized infrastructure. The good news is that mitigating this attack vector is quite simple indeed; just ensure that your Docker API port(s) aren’t available to the Internet. If you must have your Docker API port(s) exposed, I’d highly suggest using a non-standard port externally.
One last thing to note; this is the first week’s entry in a series of blog posts I’ll be doing, so stay tuned for more if you’re enjoying this content!
Stay safe out there!