Trend Micro has discovered that malicious actors have been deploying the SRBMiner crypto miner on compromised machines by focusing on Docker remote API servers.
“In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host,” researchers Abdelrahman Esmail and Sunil Bharti said in a technical report published yesterday.
“The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC/h2c upgrades and gRPC methods to manipulate Docker functionalities.”
In order to initiate a connection upgrade request to the h2c protocol (i.e., HTTP/2 without TLS encryption), the attacker must first perform a discovery process to identify public-facing Docker API hosts and determine whether HTTP/2 protocol upgrades are available.
The attacker then looks for gRPC calls that are intended to perform a number of functions associated with running and maintaining Docker environments, such as file synchronization, authentication, secrets management, health checks, and SSH forwarding.
A “/moby.buildkit.v1.Control/Solve” gRPC request is sent to the server after the connection upgrade request has been processed. This call creates a container, which is subsequently used to mine the XRP cryptocurrency using the SRBMiner payload hosted on GitHub.
“The malicious actor in this case leveraged the gRPC protocol over h2c, effectively bypassing several security layers to deploy the SRBMiner crypto miner on the Docker host and mine XRP cryptocurrency illicitly,” the researchers said.
The cybersecurity firm made the revelation after claiming to have seen attackers use vulnerable Docker remote API servers to spread the perfctl malware. Probing for such servers is the first step in the campaign. Next, a Docker container with the image “ubuntu:mantic-20240405” is created, and a Base64-encoded payload is executed.
Echoing a report from Aqua earlier this month, the shell script not only checks and terminates duplicate instances of itself, but it also generates a bash script that in turn contains another Base64-encoded payload that downloads a malicious binary that poses as a PHP file (“avatar.php”) and delivers a payload named httpd.
It is advised that users protect Docker remote API servers by putting robust authentication and access rules in place to stop unwanted access, keeping an eye out for any odd activity, and following best practices for container security.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
