Cybercriminals have been exploiting misconfigured Docker containers for months to engage in cryptojacking activities. One such campaign, known as “Commando Cat,” has been identified by Trend Micro as a recent threat targeting Docker environments. The attackers behind Commando Cat are exploiting Docker misconfigurations to gain unauthorized access to containerized environments, deploying cryptocurrency miners through Docker images to profit illicitly.
The manipulation of Docker containers by cybercriminals has become a prevalent issue in recent times. Al Carchrie, R&D lead solutions engineer at Cado Security, discovered the Commando Cat campaign earlier this year and highlighted the various methods cybercriminals use to run their malicious code on compromised Docker infrastructure. While traditional methods involved registering malicious containers within libraries, Commando Cat takes a different approach by using benign containers as carriers for their malicious payloads.
In the Commando Cat campaign, threat actors first identify exposed Docker remote API servers as entry points for their attacks. Typically, these exposed endpoints result from misconfigurations, highlighting the importance of proper oversight in maintaining secure container environments. Once access is gained, the attackers deploy a harmless Docker image using the Commando tool and leverage Linux operations like “chroot” and volume binding to escape the container and access the host operating system. This breach allows them to establish a command-and-control channel and upload cryptojacking malware onto the compromised system.
To combat such threats, organizations are advised to follow security best practices when utilizing Docker containers. Trend Micro recommends using official or certified Docker images, avoiding running containers with root privileges, conducting regular security audits, and adhering to established container security guidelines. Additionally, it is crucial to ensure that Docker container APIs are not directly accessible from the Internet to prevent unauthorized access and potential exploitation by cybercriminals.
Overall, the Commando Cat campaign underscores the growing trend of cybercriminals targeting Docker environments for malicious purposes. By staying vigilant and implementing robust security measures, organizations can protect their containerized infrastructure from unauthorized access and potential cryptojacking attacks.