• Cyber Syrup
  • Posts
  • Hackers Are Using Docker Remote API Servers For Crypto Mining

Hackers Are Using Docker Remote API Servers For Crypto Mining

Hackers are increasingly targeting Docker remote API servers to deploy cryptocurrency mining malware

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Whiskey: A Hedge Against Market Volatility

Looking to protect your portfolio from the next recession?

Consider investing in rare spirits like whiskey.

Whiskey investing provides a proven hedge against stock market dips driven by inflation and other factors.

With Vinovest, you can invest in high-growth segments such as American Single Malt, emerging Scotch, Bourbon, and Irish whiskey. Thanks to established industry relationships, Vinovest overcomes industry barriers that have made historically whiskey investing expensive and opaque. As a result, you can enjoy high-quality inventory that boosts your portfolio value and enhances liquidity.

Hackers Are Using Docker Remote API Servers For Crypto Mining

Recent findings from Trend Micro have revealed that malicious actors are increasingly targeting Docker remote API servers to deploy cryptocurrency mining malware. Specifically, attackers are leveraging the SRBMiner crypto miner on compromised instances by exploiting the Docker API and using advanced techniques to evade detection.

Understanding the Attack

In this attack, cybercriminals are using the gRPC protocol over h2c (HTTP/2 Cleartext) to bypass security solutions and carry out their illicit crypto mining operations. According to researchers Abdelrahman Esmail and Sunil Bharti, the process starts with an initial discovery phase, where attackers scan for public-facing Docker API hosts that allow HTTP/2 upgrades.

Once the availability of these servers is confirmed, the adversaries upgrade the connection to h2c, which bypasses TLS encryption and allows them to issue gRPC requests to the Docker host. This method effectively circumvents several security layers, making it easier for attackers to infiltrate Docker environments.

After gaining access, the attackers use gRPC methods designed to manage Docker functionalities, such as health checks, file synchronization, and SSH forwarding. They also exploit Docker to create containers and deploy SRBMiner, a tool used to mine the XRP cryptocurrency.

How the Attack Unfolds

  1. Discovery: The attacker initiates the attack by scanning for public-facing Docker API hosts that support HTTP/2 upgrades.

  2. Connection Upgrade: Once a vulnerable Docker host is identified, the attacker sends a request to upgrade the connection to h2c, which is essentially HTTP/2 without TLS encryption.

  3. gRPC Methods: The attacker uses gRPC methods to manipulate Docker environments, taking advantage of Docker's API functionalities.

  4. Mining Deployment: A gRPC request ("/moby.buildkit.v1.Control/Solve") is sent to the Docker server to create a container. Inside this container, the SRBMiner payload—hosted on GitHub—is deployed to mine XRP cryptocurrency.

By using the gRPC protocol over h2c, attackers successfully bypass various security layers, enabling them to execute their mining operations with minimal interference from detection systems.

Who is at Risk?

Organizations that use Docker and expose Docker's remote API to the internet without proper security measures are at significant risk. This vulnerability mainly affects environments where:

  • Docker remote APIs are exposed: Public-facing Docker APIs without authentication mechanisms are prime targets for these types of attacks.

  • Insufficient security controls are in place: Docker hosts lacking security monitoring, access controls, and authentication mechanisms are more likely to be compromised.

  • Unpatched or misconfigured systems: Systems that haven't been properly configured or updated with the latest security patches are more vulnerable to exploitation.

Industries utilizing Docker for scalable application deployment and management—such as cloud service providers, DevOps teams, and organizations heavily reliant on containerization—are particularly vulnerable to these attacks.

Recent Related Activity

In addition to deploying SRBMiner, Trend Micro has observed other similar campaigns targeting Docker remote API servers. For instance, attackers have been found exploiting exposed Docker servers to deploy malware such as perfctl.

In these attacks, the adversaries create a Docker container using an "ubuntu" image and execute Base64-encoded payloads to run malicious scripts. These scripts deliver a disguised payload that eventually downloads and installs the malicious software—further emphasizing the growing trend of exploiting Docker environments for nefarious purposes.

How to Protect Yourself

To mitigate the risks posed by these attacks, organizations must implement robust security measures for Docker environments. Some critical steps include:

  1. Restrict Public Access to Docker APIs: Ensure that Docker's remote API is not exposed to the internet unless absolutely necessary. If required, limit access to specific IP addresses or internal networks.

  2. Enable Authentication: Configure strong authentication and access control mechanisms to secure Docker APIs. Use TLS/SSL to encrypt communication between clients and the Docker server.

  3. Monitor for Unusual Activity: Implement security monitoring tools to detect suspicious activities, such as unauthorized access attempts or unusual container creation events.

  4. Regular Updates and Patching: Keep Docker software and its components up-to-date with the latest patches to fix vulnerabilities that could be exploited by attackers.

  5. Use Role-Based Access Control (RBAC): Implement RBAC policies to ensure that only authorized users can perform certain actions on Docker containers and related resources.

  6. Implement Container Security Best Practices: Ensure that Docker containers are configured securely by following best practices, such as minimizing container privileges and enabling resource quotas.

  7. Conduct Security Audits: Regularly audit your Docker configurations, API access logs, and container deployments to identify any potential vulnerabilities.

Conclusion

As Docker continues to gain popularity for managing containerized applications, it has also become an attractive target for cybercriminals. The recent exploitation of Docker remote APIs to deploy cryptocurrency mining malware like SRBMiner highlights the importance of securing these environments. By implementing strong access controls, monitoring for suspicious activities, and keeping systems up-to-date, organizations can protect their Docker infrastructure from being compromised and ensure their systems remain secure against these emerging threats.