Misconfigured Docker containers abused to deliver cryptocurrency mining malware

Researchers at Trend Micro have recently spotted malicious activity abusing systems running misconfigured Docker containers.

According to Trend Micro, the malicious actors are specifically targeting Docker Engine-Community with Docker application program interface (API) ports exposed.

Docker is a lightweight, standalone, executable software package that performs operating system (OS) level virtualization, also known as “containerization.”

Trend Micro observed the actors were scanning for open ports 2375/TCP and 2376/TCP, which are used by the Docker engine daemon (dockerd).

The attackers then attempt to deploy a cryptocurrency-mining malware that Trend Micro dubbed “Coinminer.SH.MALXMR.ATNE” on the misconfigured systems.

“The Docker APIs, in particular, allow remote users to control Docker images like a local Docker client does. Opening the API port for external access is not recommended, as it can allow hackers to abuse this misconfiguration for malicious activities,” Trend Micro said in recent blog post

To help combat this type of threat, Trend Micro provided best practices to improve Docker security: 

  • Harden Docker engines using established benchmarks such as The Center for Internet Security (CIS) reference guidance
  • Make sure Docker container images are authenticated, signed, and from a trusted registry (i.e., Docker Trusted Registry).
  • Run automated scans to detect vulnerable packages or malware.
  • Enforce the principle of “least privilege” (e.g., restrict access to the daemon and encrypt the communication protocols it uses to connect to the network). See Docker guidelines to help protect the daemon socket.
  • Properly configure appropriate system resources containers are allowed to use (e.g., control groups and namespaces).
  • Enable Docker’s built-in security features to help defend against threats per Docker development best practices guidelines.