- Buy Microsoft Visio Professional or Microsoft Project Professional 2024 for just $80
- Get Microsoft Office Pro and Windows 11 Pro for 87% off with this bundle
- Buy or gift a Babbel subscription for 78% off to learn a new language - new low price
- Join BJ's Wholesale Club for just $20 right now to save on holiday shopping
- This $28 'magic arm' makes taking pictures so much easier (and it's only $20 for Black Friday)
Python Malware Poses DDoS Threat Via Docker API Misconfiguration
Security researchers have identified a new cyber-threat targeting publicly exposed instances of the Docker Engine API.
In this campaign, attackers exploit misconfigurations to deploy a malicious Docker container with Python malware compiled as an ELF executable. The malicious tool, functioning as a Distributed Denial of Service (DDoS) bot agent, exhibits various attack methods for conducting DoS attacks.
According to an advisory published by Cado Security Labs earlier today, the Docker Engine API, a previously targeted entry point, has gained popularity for initiating such attacks, often associated with the delivery of cryptojacking malware. The inadvertent exposure of the Docker Engine API occurs frequently. This prompts multiple unrelated campaigns to scan for potential vulnerabilities.
The novel campaign discovered by the security experts involves attackers initiating access with an HTTP POST request to Docker’s API, leading to the retrieval of a malicious Docker container from Dockerhub. The attacker uses a Docker Hub user to host a specific container designed to appear innocuous as a MySQL image for Docker.
Static analysis of the malware’s ELF executable revealed a 64-bit, statically linked ELF with intact debug information, indicating Python code compiled with Cython. The code is relatively short, focusing on various DoS methods, including SSL-based, UDP-based and Slowloris-style attacks.
The bot connects to a command-and-control (C2) server, authenticating with a hard-coded password. Cado Security Labs monitored the botnet activity, witnessing DDoS attacks using UDP- and SSL-based floods. The C2 commands instruct the botnet to target specific IP addresses or domains, determining attack duration, rate and port.
Despite not observing actual mining activity, the researchers cautioned that the malicious container contains files that could facilitate such actions.
Read more on Docker security: Experts Warn of Impending TeamTNT Docker Attacks
Additionally, while OracleIV is not categorized as a supply chain attack, Docker Hub users are urged to remain vigilant, perform periodic assessments of pulled images and implement network defenses.
Cado Security Labs has reported the malicious user behind OracleIV to Docker, emphasizing the ongoing existence of malicious container images in Docker’s library. Users are encouraged to stay proactive in mitigating risks associated with misconfigured internet-facing services.