New cryptojacking worm found in malicious images on Docker

Getting your Trinity Audio player ready...

Security researchers have discovered a new cryptojacking worm that propagates through malicious images on Docker to mine crypto using victim’s resources. Thought to be the first of its kind, the cryptojacking worm—known as Graboid—uses host computers to mine for privacy coin Monero, while spreading itself on to other systems, according to researchers at Unit 42.

Because of the background nature of the attack, many instances may go undetected, harvesting user resources to mine cryptocurrency without the permission and often knowledge of the host.

Get our latest report covering a new #cryptojacking worm, dubbed "Graboid" – the first cryptojacking worm we have seen that uses #containers in the #Docker engine to spread.

Here's what you need to know to stay secure: https://t.co/tQmGA4jxyj
(Worm repellant not included) pic.twitter.com/2E9R7KCpCk

— Unit 42 (@Unit42_Intel) October 16, 2019

Senior Cloud Vulnerability and Exploit Researcher at Unit 42, Jay Chen, said the images were wreaking havoc on incorrectly configured containers, and urged organizations using Docker Hub to avoid relying on default configurations.

We’re continuing to see instances where the failure to properly configure containers can lead to the loss of sensitive information and as a result, default configurations can be significant security risks for organizations.

The researcher noted, “We have a growing concern attackers will continue to exploit these issues in unpatched instances to spread their footprint by escaping containers and gaining persistence on the container hosts and more can definitely be done to secure them. Many of these malicious images are disguised as other popular container images while containing a backdoor, sometimes retaining the original image’s functionality to avoid getting detected.”

Research from Unit 42 suggests that as many as 20,353 Docker Hub containers could potentially be open to attack because they rely on default configurations.

“We haven’t observed this specific worm in Kubernetes, but earlier this year, our research found that some 20,353 Kubernetes [containers] around the world operate under default configurations,” according to the report. “This doesn’t necessarily mean that these platforms are vulnerable to exploits, but it demonstrates that seemingly basic misconfiguration practices exist in large quantities and as attacks continue to evolve, it will make organizations targets for further compromising events.”

Chen said organizations needed to be able to automatically “model and whitelist application behavior” to deal with these security risks. He explained, “As your organization’s cloud footprint grows, being able to automatically model and whitelist application behavior becomes a powerful tool for securing cloud workloads against attacks and compromises.”