Towards the end of 2017, researchers security noticed a big change in malware attacks. As cloud-based technologies became more popular, hacking teams started targeting more Docker and Kubernetes systems.
Most of these attacks followed a very simple pattern. The hackers they scanned it Internet for systems with incorrect configuration, which they had admin interfaces exposed. The goal was to gain control of the servers and develop crypto-mining malware.
For the last three years, these attacks have become even more common, and Many new malware and hacking groups have appeared targeting Docker and Kubernetes systems.
However, despite the fact that malware attacks on Docker servers are more common, Many web developers and IT infrastructure engineers still configure Docker servers incorrectly leaving them exposed to attacks.
The most common of the mistakes that are made is that Docker remote administration API endpoints remain exposed on the internet without authentication.
Lots of malware like doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, TNT Team and others, scan the Internet for Docker servers that have the Docker management API exposed. Attackers then exploit it to develop malicious OS images for installing backdoors or crypto-mining malware.
One such malware was discovered last week by the Chinese security company Qihoo 360. The malware was named Blackrota and is a simple backdoor trojan that is a simplified version of the CarbonStrike beacon applied to the Go programming language.
So far, only one has been discovered Linux version and it is not clear exactly how this malware is used. Researchers do not know if there is a version of Windows or if Blackrota is used for crypto-mining or to execute a DDoS botnet.
What is certain is that Blackrota relies on developers who have incorrectly configured Docker servers.
Both the new malware and previous attacks show that more emphasis should be placed on safety of Docker systems.
Companies, web developers and engineers using Docker systems they must make sure that they have taken the appropriate measures to protect their systems.
At the moment, there are many tutorials with step-by-step guides that will be useful to even the most inexperienced developers.
With Docker becoming more popular and attacks aiming for such systems to grow continuously, developers must make security a priority.