10/21/2024 | News release | Distributed by Public on 10/21/2024 08:16
Summary
Recent cyberattacks have leveraged unprotected Docker Remote API servers to deploy malicious code. Attacks targeting the Docker Remote API server are structured, starting with probing for the server's presence and ending with the actual execution of payloads.
We will conduct a detailed analysis of the attack flow, describing how attackers exploit vulnerable Docker Remote API servers. By looking over recent incidents, we will emphasize the importance of securing the Docker Remote API server and the potential consequences of this exploitation.
In a similar previous incident, an unknown threat actor installed a cryptocurrency miner using vulnerable Docker Remote API servers. The attacker sets up a docker container using the "ubuntu:mantic-20240405" image from Docker Hub, then uses "nsenter" to break out of the container and run the Base64 encoded payload.
The Attack Sequence