Hackers Targeting Open Docker Daemon Ports Using DDoS Bot

Recently, cybersecurity researchers have detected an open directory that has been carrying malicious files. However, this DDoS attack has been initially reported in a series of Twitter posts by the security threat team MalwareHunterTeam. 

After investigating the whole matter they found a malicious cryptocurrency miner and Distributed Denial of Service (DDoS) bot that has been targetting the open Docker daemon ports.

Moreover, the security experts from Trend Micro reported that the attack commences with the shell script named mxutzh.sh. But, this shell script scans for open ports (2375, 2376, 2377, 4243, 4244) and then generates an Alpine Linux vessel that will host the coin miner and DDoS bot.

Shell script that will drop and execute its other components:-

clean.sh: It finds other coin miners and malware to clean/remove.

dns: It’s the Kaiten/Tsunami DDoS bot.

lan.ssh.kinsing.ssh: Via SSH it attempts lateral movement.

NarrenKappe.sh: From the host machine, it exfiltrates sensitive information and also configures the firewall to allow ports. 

setup.basics.sh: It assures that the services are required by the other components that are established in the system.

setup.mytoys.sh: It downloads and compiles the source code of a log cleaner.

setup.xmrig.curl.sh: It downloads and installs the coin miner payload.

sysinfo: It procures several system information and then it reports it back to its own C&C server.

Indicators of Compromise

  • hxxp://45[.]9[.]148[.]123/COVID19/nk/NarrenKappe.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/clean.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/lan.ssh.kinsing.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.basics.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.mytoys.sh
  • hxxp://45[.]9[.]148[.]123/COVID19/sh/setup.xmrig.curl.sh
  • hxxp://teamtnt[.]red/dns
  • hxxp://teamtnt[.]red/sysinfo
  • hxxp://teamtnt[.]red/up/setup_upload.php
  • irc[.]kaiserfranz[.]cc

Mitigations Against Docker-related Attacks

The security analysts have suggested some specific protections, and they asserted that they will help to protect all the containers from this kind of DDoS attack:-

  • Manage the containers in a container-focused OS to lessen the attack surface.
  • Use controllers like intrusion prevention systems (IPS) and web filtering to monitor network traffic.
  • Restrict access to only those who require it to reduce the uncertainties of compromise.
  • Implement the best security practices.

Not only this but users can also depend on the resulting security solutions of Trend Micro to protect Docker containers, and here they are mentioned below:-

  • Trend Micro Hybrid Cloud Security
  • Trend Micro Cloud One
  • Trend Micro Deep Security Software
  • Trend Micro Deep Security Smart Check

Apart from this, the security authorities affirmed that users must follow the protection carefully so that it will help them to protect themselves from such DDoS attacks.

Found this article interesting!! Follow us on LinkedinTwitterFacebook for daily Cyber Security News & Updates

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.