As part of our efforts to monitor malicious activity aimed at containers, we set up a machine that simulated a Docker host with an exposed API — one of the most common targets of container-based threats — to act as a honeypot. Our goal was to monitor the honeypot and detect if someone finds and uses it to deploy unwanted containers, after which we would ideally be able to trace them back to their source. We recently checked on the status of our honeypot and discovered that a single image or snapshot of a container was already deployed in the environment.
By analyzing the logs and traffic data coming to and from the honeypot, we learned that the container came from a public (and thus accessible) Docker Hub repository named zoolu2. Upon checking and downloading the contents of the repository, we found that it contained nine images comprised of custom-made shells, Python scripts, configuration files, as well as Shodan and cryptocurrency-mining software binaries. Note that Docker caught the repository independently and has taken it offline as of writing.
All the images in the zoolu2 repository contained the binary of a Monero (XMR) cryptocurrency miner. This piqued our interest since we’ve already had experience with containers being deployed as miners. In addition, some of the images contained a Shodan script that lists Docker hosts with exposed APIs, which we surmised was being used to identify suitable targets for further container distribution.
Figure ..
Support the originator by clicking the read the rest link below.
