Researchers discovered a new cryptojacking worm called "Graboid" that has spread to more than 2,000 unsecured Docker hosts. In its research, Palo Alto Networks' Unit 42 team noted that it's the first time it's discovered a cryptojacking worm specifically using containers in the Docker Engine for distribution. (It's not the first time that cryptojacking malware have taken on the form of a worm, however.) Unit 42 researchers found that an infection begins when malicious actors establish an initial foothold through unsecured Docker daemons. A quick search on Shodan uncovered over unsecured 2,000 Docker engines lacking any authentication or authorization measures. These weaknesses enabled the threat actors to compromise the daemon, run the malicious Docker container pulled from Docker Hub, download several scrips from its command-and-control (C&C) server and pick its next target. To do so, Graboid selected three targets at a time. It then installed the worm on the first target, stopped its Monero miner on the second target and started the miner on the third target. The exact motivation for creating this design remained unclear at the time of discovery. To better understand this behavior, Unit 42 created its own Python-based simulation involving 2,000 hosts in an IP file. The team found that Graboid reached all 1,400 vulnerable hosts that didn't fail (70 percent of the total) in approximately 60 seconds and ran the mining process on 900 hosts at any given time. Overall, each miner was active for only about 65 percent of the time, with each mining session lasting only about 250 seconds.
The results of Unit 42's worm simulation. (Source: Unit 42) Jay Chen, senior cloud vulnerability and exploit researcher for Unit 42, admitted that Graboid isn't the most sophisticated threat but that its potential to cause damage is multi-faceted:
While this cryptojacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored. If a more potent worm is ever created to take a similar infiltration approach, it could cause much greater damage.
The emergence of Graboid highlights the importance of organizations taking steps to secure their Docker hosts. This process should involve using a sophisticated solution to find vulnerabilities in and enforce CIS policy compliance for Docker base images. Learn how Tripwire for Devops can help.
