A new attack that uses Docker containers to hide, persist and plant malware was demonstrated at Black Hat by a team of security researchers from Aqua Security.
The attack targets Docker installations that expose its API through TCP, a default configuration for Windows PCs running previous versions of Docker for Windows, Threatpost reports.
Docker acknowledged the issue of allowing remote access to the Docker daemon over TCP/HTTP on previous versions of Docker for Windows, but has since changed the default configuration to close the HTTP port on newer versions.
Threatpost also recommends “allowing authenticated clients (certificates) access to exposed ports, blocking port 2375 on the Moby Linux VM interface via a firewall and also disabling LLMNR and NetBIOS on all endpoints.”