Exploitation of Docker remote API servers has reached a “critical level”

Hackers are exploiting unprotected Docker remote API servers to deploy malware, with researchers stating the threat has reached a “critical level” and warning organizations to act now.

A report from Trend Micro published on 21 October details how researchers observed an unknown threat actor abusing exposed docker remote API servers to deploy the ‘perfctl’ malware.

The attack sequence begins with the attacker pinging servers to establish the presence of a vulnerable Docker remote API server. In the next stage, the attacker was observed creating a Docker container, deliberately giving it a similar name to a legitimate one. 

The container is configured to operate in privileged mode, and the attackers utilized the process ID ‘host’, allowing it to share the same PID namespace as the host system.

“This means the processes running inside the container will share the same PID namespace as the processes on the host. As a result, the container's processes will be able to see and interact with all the processes running on the host system in the same way as all running processes, as if they were running directly on the host,” the report explained.

Attackers then execute the Base64 encoded payload via the Docker Exec API. The payload’s initial goal is to escape the container using the ‘nsenter’ command, which effectively grants similar capabilities as if it were running in the host system.

After the payload is decoded, it checks for duplicate processes and creates a bash script that configures various environment variables to enable the subsequent stages of the attack.

The bash script downloads a malicious binary disguised as a PHP extension, helping it avoid file extension-based detection, which will then perform a number of further actions which kill processes, set permissions, update the PATH environment variable, and execute commands in the background.

Remote access API is handy but presents attackers with a juicy target

The report noted that the malware has a robust persistence strategy utilizing systemd services or cron jobs to ensure it is able to remain active after the system is restarted, making it even more difficult to eradicate.

Trend Micro warned that the exploitation of Docker remote API servers “has now reached a critical level where the attention of an organization and its security professionals is seriously required.”

“It is essential that every organization's Docker Remote API server is secured, monitored regularly for unauthorized access and suspicious activities to reduce the risk of attacks, and has security patches up to date,” the report added.

Katie Paxton-Fear, API researcher at Traceable AI, said this case underscores the risks associated with enabling the remote access API by default.

"While remote access APIs can make management a breeze, easily deploying new docker containers, you should really think twice before enabling it by default. If you are not 100% sure you need this feature, the safest thing to do is disable it. In this case the researchers were able to pivot from a single docker container to the host via a container escape, but if the management API is simply disabled when not in use the vulnerability is completely avoidable.”

Paxton-Fear said that if firms do require the remote management API, they should understand the high level of access it can offer a threat actor if compromised.

“If you do need the remote management API, it's important to remember all management APIs have extremely high levels of access, and can create and modify resources at will so you must ensure you use strong authentication and authorization to ensure that not only can only those with valid credentials access a management consoles, but also that they have the correct permissions,” she advised. 

“This allows you to easily revoke access, but if a user's credentials are leaked, it is also vital to have logging and monitoring in place for docker exec so you are aware when new containers are created and used."