Image for post
Image for post

Container Vulnerabilities

In this article we will analyze the vulnerability discovered within container environments, specifically in Docker. In order to understand the concept of container, it will be necessary to detail its operation and current use in PAAS environments (Platform as a service) and how it has helped the processes of Digital Transformation.

Platform as a service (PaaS) is a complete cloud development and deployment environment, with resources that allow you to deliver simple cloud-based applications to sophisticated cloud-enabled enterprise applications.

Image for post
Image for post
Illustration 1 PaaS [1]

A container is a standard software unit that packages the code and all its dependencies so that an application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, independent and executable software package that includes everything needed to run an application: code, runtime, system tools, system libraries, and configurations. [2]

Image for post
Image for post

C. Containers and virtual machines

Containers and virtual machines have similar benefits of isolation and resource allocation, but they work differently because containers virtualize the operating system instead of the hardware.

Containers are an abstraction in the application layer that groups code and dependencies together. Multiple containers can run on the same machine and share the core of the operating system with other containers, each of which runs as isolated processes in the user’s space. Containers take up less space than virtual machines, so they can handle more applications and require fewer virtual machines and operating systems.

Virtual machines (VMs) are an abstraction of physical hardware that converts a server into many servers. The hypervisor allows multiple virtual machines to run on a single machine. Each VM includes a complete copy of an operating system, the application, the necessary binaries and libraries, which occupy tens of GB, unlike containers in which the size is considerably smaller.

Image for post
Image for post
Illustration 3 VM Internal Architecture 2

II. CryptoJacking

The beginning of cryptocurrencies began in 2009, since then its evolution has been increasing, consolidating itself as a valid payment method today.

More and more institutions and governments are beginning to accept this type of trade, including countries such as Australia, Japan, Switzerland, Norway and the Netherlands.

The anonymity that transactions allow, supported by a decentralized network such as Blockchain, as well as the increasingly high security from ransomware-type infections — due to the detection and prevention policies that have been implemented in recent times — have led cybercriminals to opt for new fraudulent strategies, one of them known as “cryptojacking”.

The term cryptojacking is derived from the conjunction of Cryptocurrency and Hijacking, defined as the illegitimate use of an electronic device, without the consent and knowledge of the user, by cybercriminals. [3]

The rise of this method have been in parallel with the rise of virtual currency quotations, as well as being relatively easy to make and automate and hard to detect in the infected device.

To understand how cybercriminals act, it is essential, at least, to know how to obtain cryptocurrencies (mining), important concepts such as wallet and Blockchain. The first refers to the digital wallet (common in shopping sites) and the second is similar to an account book where each of the transactions that are made are incorporated.

Knowing that the origin and destination of these transactions are anonymous, the amount of money, as well as the time the transaction was made are always known and can be consulted within the Blockchain. Mining consists in calculating a series of algorithms to check transactions carried out up to that moment.

Speaking from a very high level perspective, mining a virtual currency translates into computationally solving a “mathematical problem” related to cryptography, first the complexity is determined, as the capability of multiple teams to solve this problem and also in the complexity of the mathematical problem itself.

In the same way, in many cryptocurrencies, a maximum number of coins that can exist was established therefore less and less are left to “mine”.

Although there are several types of attacks, the main objective is user equipment.

The ultimate goal of code creation is to reduce the complexity of the mining process, how is this achieved? Dividing the computational effort among the largest possible number of computers, which translates into reduced time to obtain cryptocurrencies.

A method by which it seeks to obtain personal or confidential information from users through deception, resorting to the impersonation of the digital identity of a trusted entity.

Through spam or phishing emails, the attacker can try to trick the user into downloading and/or running a program that is supposedly legitimate, but in reality it is a cryptominer.

Image for post
Image for post
Illustration 4 A document with a harmful code

They are tools that automate the search for vulnerabilities in a system to infect it. Normally they enter through the browser or some add-on installed to download the harmful code.

Image for post
Image for post
Illustration 5 Example of harmful code injection

In most cases, cybercriminals seek to infect large-sized servers so they are able to mine cryptocurrencies as quickly as possible based on two main routes:

1) Infecting the equipment through any of the techniques mentioned above (social engineering)

2) Using more specific techniques to attack servers such as exploiting vulnerabilities, brute force, SQL injection, etc.

In August 2018, unit 42[1] identified a cryptojacking worm called “Graboid” that extended to more than 2,000 unsecured Docker hosts.

Image for post
Image for post
Illustration 6 Graboid Worm Tremors Movie 1990

Although there have been cryptojacking malware propagation attacks, it is the first in which the propagation has been carried out by means of containers, specifically in Docker Engine (Community Edition), as the more traditional endpoint protection software does not inspect data and activities inside containers. During the image execution on the compromised host, the malware is downloaded from the command and control servers (C2), periodically searches for new vulnerable hosts and chooses the next random target for worm propagation.

Command and control servers can be directly controlled by malware operators and able to run on infected computers.

Image for post
Image for post
Illustration 7 General Description of the Worm

A search was conducted through the search engine Shodan[1], in this search showed that more than 2,000 Docker engines are insecurely exposed to the Internet. Without authentication and/or authorization, the attacker can take full control of the Docker Engine and the associated host. The attacker takes advantage of this entry point to deploy and spread the worm. Figure 6 shows how malware is delivered and propagated. The attacker compromised an unsecured Docker daemon, executed the malicious Docker container extracted from the Docker Hub, downloaded the scripts and a vulnerable host list from C2 and repeatedly chose the next target to propagate the worm.

Graboid propagates inside the containers, randomly chooses its objectives in each iteration. It installs the worm on the first target, stops mining on the second target, and starts mining on the third target. This procedure or behavior leads to a very random mining, and as an example if host X is compromised, the malicious container does not start immediately, instead, it would have to wait until another compromised host chooses host X and begins the mining process.

Shodan is a search engine that allows the user to find the same or different specific types of equipment connected to the Internet.

The step by step of how both the attacker and the worm already act inside the host is as follows:

1) Step 1

The attacker chooses an unsecured Docker host as destination and sends remote commands to download and deploy the malicious Docker image. The image contains a tool from the Docker client which is used to communicate with other Docker hosts.

2) Step 2

The script inside the container with the operating system (pocow/centos) downloads 4 shell scripts from C2 and executes them one by one. These scripts are: live.sh, worm.sh, cleanxmrs.sh and xmr.sh.

3) Step 3

Lise.sh sends the available CPU number in the compromised host to C2.

4) Step 4

4worm.sh downloads an “ip” file that contains a list of more than 2000 ip. These IPs are the final unsecured Docker API hosts. Worm.sh randomly chooses one of the IPs as its target and uses the docker client tool to extract and deploy the pocow/centos container remotely.

5) Step 5

Clearxmr.sh randomly selects one of the vulnerable hosts in the IP file and stops cryptojacking containers at the destination. Cleanxmr.sh stops not only the cryptojacking container that deploys the worm but also other containers if they are running.

6) Step 6

Xmr.sh randomly selects one of the vulnerable hosts in the IP file and deploys the gakeaws/nginx image on the target host. This image contains the xmrig binary masked as nginx.

Steps 1 through 6 are repeated periodically on each compromised host. The last known update interval is set to 100 Seconds. The update interval, in addition to the Shell scripts and ip listing are downloaded from C2 after the container is started.

Image for post
Image for post
Illustration 8 Committed Docker Images

Understanding that one of the basic conditions for a vulnerability to exist is that a weakness must exist.

The important thing is to take the corresponding measures to prevent a third party from causing vulnerabilities, specifically for Docker, there are certain measures that need to be taken.

1) Host

It is the most important part of the Docker environment, since it is where the infrastructure is supported and where the containers will be executed.

a) User permissions

It is essential to limit users who can control the Docker daemon. By default, only the root user.

b) Files and directories audit

As the Docker daemon runs with root privileges, all directories should be audited constantly.

2) Docker Daemon

It is responsible for managing the life cycle of the different images on the host machine.

a) Limitation of traffic between containers

Being able to see the traffic between containers is an indirect source of data disclosure to other containers. There is a command to limit traffic between deployed containers:

docker –icc=false

Having good security practices applied to both the Host and the Daemon, in addition to its configuration files, and the other part would be the image.

A Dockerfile file contains all the necessary settings and instructions to create an image, therefore, Dockerfiles need to be created in a minimalist way in terms of applications, users, services, etc.

1) Execution with non-root user

By default, containers are executed with the root user, therefore they have those privileges, the most appropriate solution is to limit the execution user exclusively to the desired application.

To add the user in the Dockerfile file, the following command must be used:

RUN useradd <options>

USER <user>

2) Image integrity

Each image has a SHA256 hash to check if the image has been changed.

There are two commands to do this included in the Dockerfile file, which allows the user to sign an image when building it:

DOCKER_CONTENT_TRUST

DOCKER_CONTENT_TRUST_SERVER

The first command allows the user to enable and disable the Docker Content Trust check. If it is enabled, docker will check the image’s integrity, with a public or private repository.

The second order allows the user to define the URL where the Notary server is located. In most cases, companies with official images in the Docker Hub carry out this process internally.

An example inserting commands within the Dockerfile file:

  • export DOCKER_CONTENT_TRUST=1
  • export DOCKER_CONTENT_TRUST_SERVER=”https://notary.docker.io”

It is common to access the Dockerfile file to declare different types of secrets as bbdd connections declaring user and password. One of the solutions would be to delegate these functions to orchestrators such as Kubernetes or Docker Swarm.

Within the technological world, it is essential to be on the forefront. When taking on this challenge and opting for a micro services infrastructure, many companies leave security aside, prioritizing issues such as performance, cost reduction, infrastructure versatility, and other related issues.

Today these companies are at the center of cyber attacks; Security is no longer what it used to be, it must have a primary role and must be taken into account from the design of the new infrastructure.

Within the document it was disclosed how cyber criminals are lurking to exploit weaknesses and thus conceive new vulnerabilities. The special thing about the “Graboid Case” is not the particular fact of how the worm moves between different containers, it is rather how it managed to enter from the Docker Hub through an infected image by bypassing host security.

Part of security is being prepared and not underestimating the smallest details. Another non-minor detail is the ability to periodically extract new scripts from the C2, being able to easily reuse the ransomware or any other malware completely compromising the hosts. If a more powerful worm were created with a similar infiltration method, it could cause much greater damage. Some last recommendations:

  • Do not expose the Docker daemon to the Internet without first having a proper authentication method
  • Use SSH to connect to the Docker daemon remotely.
  • Use firewall rules, including inbound traffic.
  • Never download Docker images from unknown sites and/or unknown users.

[1] Unit 42, is a global intelligence team part of the Palo Alto Networks company, whose main function is to investigate and disseminate their findings, which are freely shared. Analysis documents include tools, techniques, and procedures that attackers execute to compromise the safety of organizations.

Unit 42 is a recognized authority in cyber threats, it is often sought by companies and government agencies around the world.

[2]The name “Graboid” is derived from the 1990 film “Tremors”, since the worm behaves similarly to the sandworms of that film, it moves in small bursts of speed, but in an unintelligent way.

[3]Command and control servers can be directly controlled by malware operators and able to run on infected computers.

[4]Shodan is a search engine that allows the user to find the same or different specific types of equipment connected to the Internet.

[1] Microsoft, «https://azure.microsoft.com/,» 2019. [Online]. Available: https://azure.microsoft.com/es-es/overview/what-is-paas/. [Last access: November 2019].

[two] Docker, «Docker,» November 2019. [Online]. Available: https://www.docker.com/resources/what-container.

[3] National Cryptojacking Center, «Cryptojacking,» CCN, 2019.

[4] Unit 42, «Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub, »October 16, 2019. [Online]. Available: https://unit42.paloaltonetworks.com/graboid-first-ever-cryptojacking-worm-found-in-images-on-docker-hub/. [Last access: November 2019].

[5] Kubernetes, «Kubernetes-Secrets,» November 2019. [Online]. Available: https://kubernetes.io/docs/concepts/configuration/secret/. [Last access: 2019].

[6] Docker, «Docker,» 2019. [Online]. Available: https://docs.docker.com/engine/swarm/secrets/

Exponential intelligence for exponential companies

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store