'Commando Cat' Digs Its Claws Into Exposed Docker Containers
Attackers are taking advantage of misconfigured containers to deploy cryptocurrency mining software.
June 6, 2024
For months now, cybercriminals have been taking advantage of misconfigured Docker containers to perform cryptojacking.
"Commando Cat" — not the only campaign targeting Docker lately — traces back to the beginning of the year. According to the latest update from Trend Micro, the unknown attackers are still exploiting Docker misconfigurations to gain unauthorized access to containerized environments, using Docker images to deploy cryptocurrency miners and make a quick buck.
Manipulating Docker Containers
For a long time now, containerization has been useful for organizations. More recently, it also has been useful for cyberattackers.
"What we're seeing is cybercriminals utilizing these same Docker capabilities to get their own containers running on your infrastructure," explains Al Carchrie, R&D lead solutions engineer at Cado Security, the first to uncover Commando Cat (as well as the other latest Docker exploitation) back in January. "There are two ways you can do that. You can register a container within a library, and you can then call that container from the library that contains your malicious code, and get that malicious code to run. We're starting to see people move away from that, because the libraries are doing a really good job of looking for malicious containers."
Commando Cat takes the other approach: using benign containers as blank slates upon which they can pull in and run their malicious code.
To do this, as in so many modern cyberattacks, the threat actor first identifies exposed endpoints to hone in on. In this case, those endpoints are Docker remote API servers. "Nine times out of 10, this is going to come down to a misconfiguration. As we see with quite a lot of incidents, whether in the cloud or on premise or hybrid, it's pretty much down to oversight," Carchrie notes.
With exposed endpoints as an initial means of access, the attacker deploys a harmless Docker image using the open source tool Commando, then uses it as the basis to create a new container. Then, using the "chroot" Linux operation and volume binding — a means of linking directories in host systems with Docker containers — they peek outside of the container and ultimately escape to the host operating system.
By the end, they can establish a command-and-control (C2) channel and upload their cryptojacking malware.
What Organizations Can Do
Commando Cat's attacks have been streamlined somewhat from earlier this year, when its payloads included scripts designed to backdoor the target system, establish persistence, exfiltrate cloud credentials, and more. What's clear is that, under different circumstances, this same kind of attack could lead to far more than just cryptojacking.
To mitigate that risk, Trend Micro recommends organizations use only official or certified Docker images, avoid running containers with root privileges, perform regular security audits, and adhere to general guidelines and best practices around containers and APIs.
And most of all, Carchrie emphasizes, "Make sure that your Docker container's API is not directly accessible to the Internet."
About the Author
You May Also Like