Misconfigured Docker API endpoints allow attackers to deliver DDoS botnet agent>
CSO Online – Lucian Constantin
A new cyberattack campaign exploits insecure Docker Engine API endpoints to deploy a Python-based DDoS botnet within malicious container images on cloud servers.
These images are easily distributed via Docker Hub, making it simple for attackers to launch containers for diverse nefarious objectives.
The specific attack starts with a request to the Docker API, using a command that mimics `docker pull` to download and set up an image named `oracleiv_latest`.
This sort of target is not novel but remains a prevalent method for attack groups, like TeamTNT, to deploy malware, especially for cryptojacking or DDoS purposes.
The Docker image in question, hosted on Dockerhub with over 3,000 downloads, includes an ELF binary that enables DDoS attacks with various methods such as TCP, UDP, and SYN floods, each with tailored variations to overcome different defenses.
While the image also contains a cryptocurrency miner, its primary use is for DDoS attacks.
The botnet establishes communication with a control server, sending system information and awaiting instructions.
The report from Cado Security highlights the risks associated with Docker’s image library, considering that harmful images are present and a fix is not forthcoming.
To mitigate risks, it is recommended that organizations assess Docker images for potential risks, ensure secure configurations, and defend critical infrastructure with authentication and firewalls.
Link: https://www.csoonline.com/article/1247127/misconfigured-docker-api-endpoints-allow-attackers-to-deliver-ddos-botnet-agent.html