CyberWire Daily - They fooled a lot of people. [Research Saturday]
Episode Date: August 29, 2020Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companie...s to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images. Palo Alto Networks' Unit 42 researchers identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero. The images hosted on this account have been collectively pulled more than two million times. Additionally, when last checked minexmr.com for this wallet ID, Palo Alto's team saw recent activity indicating that it’s still being used. Joining us on this week's Research Saturday is Jen Miller-Osborn from Palo Alto Networks' Unit 42 group to share the research and findings. The research and blog post can be found here: Attackers Cryptojacking Docker Images to Mine for Monero Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So the researchers initially found this because they were specifically looking for repositories which were mimicking
legitimate repository names. That's Jen Miller Osborne. She's Deputy Director of Threat
Intelligence with Palo Alto Network's Unit 42. The research we're discussing today is titled
Attackers Crypto-Jacking Docker Images to mine for Monero.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your
attack surface with public-facing IPs that are exploited by bad actors more easily than ever
with AI tools. It's time to rethink your security. request based on identity and context, simplifying security management with AI-powered automation,
and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So for the account in particular that they found, you'll note that it begins with Azure.
And then it had NQL appended to it and then a random string of numbers.
So that was what initially kind of tipped off the researchers that there might be something worth looking at here because it wasn't a legitimate
actual image, but it was definitely trying to pretend that it was one. And then when they
actually pulled them down and ran them, they realized that they were installing coin mining
software on the systems that they were installed on. So it was a cryptojacking attack and they
were just, their goal was to trick users into thinking these were legitimate images.
So when they downloaded them and ran them,
they actually run the way they're supposed to
and nothing happens to let a user know that crypto mining software has been installed.
It doesn't spike the CPU usage.
It doesn't do anything in front of you.
So as far as someone who had downloaded it would be concerned,
this would seem to work perfectly fine.
There's no indication that there's something malicious going on.
And it looks like they were pretty successful because we were able to see that the images had been downloaded over 2 million times.
So they fooled a lot of people. Well, let's back up here and go over some of the basics together for folks who might not be up on some of the specifics.
Can you describe to us exactly how Docker works and sort of the backstory of the ecosystem here that these folks inserted themselves into?
Sure. So Docker is a very popular kind of cloud container service.
And one of the reasons it's become so popular is because there's this component called Docker Hub, which has a very strong kind of community surrounding it.
So it's very common for people to host other images and repositories to Docker Hub for people to pull down if they've already created ones for specific use cases
and things like that.
What attackers are doing is they're taking advantage
of that community-based model
where people have traditionally been posting things
to help other people.
Well, now you have attackers inserting themselves into that
and they're posting things that appear to be helpful,
but in fact are actually installing crypto mining software.
So a legitimate use case of this would be, for example, if I were putting together some sort of
bit of software, I could go to Docker Hub and look for a component that might help me along
the way, something that would have some sort of functionality that would help with the thing that
I'm trying to do. Yep. And so the bad guys in this particular case,
what were they trying to disguise their containers as?
So they were trying to mimic Azure was their goal.
And what people downloaded actually appeared to be a legitimate installation.
The only difference difference the only real
change the actors made to this was they added crypto jacking software and they took one extra
step when they did that of also having um tor installed along with this so they came up with
a rather clever way of hiding the c2 on the back end, because one of the typical ways this
would be detected would be the C2 comms back and forth. But because the attackers for this chose
to route that back through Tor, that breaks that kind of typical detection pattern that a lot of
people tend to have in place for things like this. Well, let's walk through it together. So suppose
that I'm someone who was looking for a component
like this and one of these caught my eye and i go ahead and download it uh what happens next
so while you're downloading it and it's installing what appears to be
what you wanted in the background what the program is doing is it's installing Tor, as well as the coin mining software.
So you're getting what you wanted, but you're getting some malware along with it.
And unfortunately, they also were a little bit more clever in hiding the comms.
So by installing Tor and using that, it breaks a lot of detection that you would typically see.
So now you're relying on there being something on the host itself
that could detect the behavior of the coin miner
that's not reliant upon in any way being able to see kind of the C2 communication.
I see.
And the installation of these extra components,
of the Tor components and then also the cryptooMiner, these would go undetected?
Depending on what sort of protection you're running.
If you don't have something specifically with these running on an endpoint, it's likely to go undetected.
Especially because if you're running things largely only at the firewall level, that's what they're using Tor for to kind of get around is to get things through a firewall that way to hide it.
Because while in some cases organizations do block Tor, and that would break this, in a lot of cases there's a lot of legitimate uses for Tor.
So it's allowed through, but one of the components of that means that there's no visibility into what the actual contents of the traffic are.
So it was kind of a sneaky little way that the authors got around that, which was interesting.
Yeah, it's also interesting to me that you mentioned that
they had a little bit of restraint when it came to their crypto
mining components as well. I think often when we think about crypto
mining, you think you get infected with something
and the first thing that happens is all your fans start spinning,
you know, at maximum speed as your processors are pegged.
But they were a little more careful than that.
Yep, they made sure that that was not going to happen
and that they weren't taking up an excess amount of resources.
So they could, conceptually, they could just sit there forever
or until
they're actually caught and kicked out. And they'd been successful. One of the wallets that we were
able to identify as being associated with this had about $36,000 worth of Bitcoin in it. And that's
only one of the wallets we were able to figure out how much money was in it. So this potentially has been very lucrative for them.
And all they had to do was just create this malicious image, post it to Docker Hub, and basically sit back and profit.
That's about as complicated as this is.
Right.
Well, but as you say, I mean, the functionality that people were looking for, that's built into it as well.
So these are functioning the way that you think they should.
You're just not aware that in the background, this mining is going on.
Yep.
And in a lot of cases, people just kind of, they don't really view it as a problem because
nothing traditionally malicious is actually happening.
You know, they're able to use a computer.
None of the resources are spiking.
There's nothing being exfiltrated.
There's nothing actually being damaged.
So it's sort of people tend to not pay as much attention to.
But the problem with this is while this isn't doing any damage, it's still something that
you didn't know and or didn't want installed.
And that just highlights a security hole
because if that's there and this is relatively benign,
what else could potentially also get into the system
through a similar kind of security hole?
Like in this case, you were lucky and it was a coin miner.
Next time you might not be lucky and it could be ransomware.
So it's definitely something that people should pay attention to.
And you all reached out to the folks who run the Docker Hub, and they've been quite responsive.
Yep, they're absolutely great to work with.
They're in a difficult position as well, so they're super responsive when you bring anything to their attention to take things like this down.
So what are ways that folks can detect this sort of thing?
Honestly, it's relatively difficult.
You need to have some sort of good threat signatures
at a, say, a firewall or a next-generation firewall,
and then outside of that, you need to be running something
that can look inside cloud containers, basically,
and check them for malware or malicious behavior.
Now with everyone kind of at home
and everything shifting exclusively online,
you know, that means that all different types of criminals are also going to shift in that
direction, looking for ways to make money. And this is one way where it was relatively simple
and they were able to make quite a bit of money.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Our thanks to Jen Miller Osborne
from Palo Alto Network's Unit 42 for joining us.
The research we discussed was titled
Attackers Crypto-Jacking Docker Images to Mine for Monero.
We'll have a link in the show notes.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Valecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.