Cado Security Labs researchers recently discovered a novel campaign targeting publicly exposed instances of the Docker Engine API. Attackers exploit this misconfiguration to deliver a malicious Docker container containing malware written in Python and compiled as an ELF executable. The malware acts as a DDoS bot agent, capable of conducting DoS attacks via several methods.
In the Docker API command, the attacker retrieves an image named OracleIV, uploaded to Dockerhub by a malicious user, and was still live at the time of writing with over 3,000 pulls and appeared to be undergoing regular iteration, with the most recent changes pushed only 3 days before Cado’s blog writeup.
OracleIV demonstrates that attackers are still intent on leveraging misconfigured Docker Engine API deployments for various campaigns. Containerization’s portability allows malicious payloads to be executed deterministically across Docker hosts, regardless of the host’s configuration. Users of Docker Hub should be aware that malicious container images exist in Docker’s image library.
You can read their writeup on this here.
Like this:
Like Loading...
Related
This entry was posted on November 13, 2023 at 9:00 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New OracleIV DDoS Botnet Malware Targets Docker Engine API to Deliver Malicious Container Image
Cado Security Labs researchers recently discovered a novel campaign targeting publicly exposed instances of the Docker Engine API. Attackers exploit this misconfiguration to deliver a malicious Docker container containing malware written in Python and compiled as an ELF executable. The malware acts as a DDoS bot agent, capable of conducting DoS attacks via several methods.
In the Docker API command, the attacker retrieves an image named OracleIV, uploaded to Dockerhub by a malicious user, and was still live at the time of writing with over 3,000 pulls and appeared to be undergoing regular iteration, with the most recent changes pushed only 3 days before Cado’s blog writeup.
OracleIV demonstrates that attackers are still intent on leveraging misconfigured Docker Engine API deployments for various campaigns. Containerization’s portability allows malicious payloads to be executed deterministically across Docker hosts, regardless of the host’s configuration. Users of Docker Hub should be aware that malicious container images exist in Docker’s image library.
You can read their writeup on this here.
Share this:
Like this:
Related
This entry was posted on November 13, 2023 at 9:00 am and is filed under Commentary with tags Cado Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.