Docker: A cybercriminal executes a malicious image directly in the host

Last update March 20, 2023 at 01:12 am

A security flaw exploited in a docker infrastructure.

This week, a cybersecurity research team discovered a new type of attack against a container infrastructure. The cybercriminal exploits a port used by Docker's APIs to build and run a malicious image directly on the host.

[bctt tweet=”Docker: A cybercriminal executes a malicious image directly in the host” username=”tedidevblog”]

In this section:

First of all, what is Docker?

Docker the a software platform which allows you to easily manage containers in a system. A container is an environment isolated from the operating system ( linux, windows , macOs) which allows to emulate the libraries, the file systems and especially the processes of an operating system. In computer science we use it a lot to create software infrastructures without influencing the main development environment.

Basically, if virtualbox and vmware are software that allows operating systems to be virtualized on the same machine, Docker, to be as less rigorous as possible, is a software to virtualize software.

What is the point of virtualizing software?

At developers , we can create an infrastructure for automatic testing and code deployment in a single machine. Normally we would need to buy servers, equipment and then spend the day configuring it. Thanks to docker, you can create several containers, each of which behaves like a piece of equipment with a specific role. Then virtually he communicates and works together.

Sometimes in development work you need to install database tools to better test the program. These tools can be complex enough to install so that you uninstall them when you are done and then repeat the installation process when the need arises. With docker, just search the image of the tool in question and create a container from it. A container image is like safeguarding the functional environment. Creating a container from its image amounts to simply restoring the image.

We will talk at length about Docker in future articles. Now that we understand a little, let's see how the flaw in this system could be exploited.

Description of the cyberattack using the Docker API

Aqua's cybersecurity research team has discovered a new kind of attack on container infrastructure. The attacker exploits an improperly configured Docker API port in order to create and run a malicious container image on the host. This is the first time according to the team that an attack in which the attacker creates an image rather than removing it from a public registry has been observed in the wild.

Usually the previously observed hacker attacks have the general principle of hijacking resources from the host. This was done by running a cryptocurrency miner, launching a denial of service network attack against other hosts, or worse, escaping from the container and spreading over the host's network.

To prevent and combat this type of attack, the defense system, on the other hand, can scan the images and respond to the results, or restrict communication with a suspicious source or registry.

In the present case discovered, the attacker did not extract an image from a remote source but built it directly on the targeted host in order to bypass its defense mechanisms. In addition, the attacker can thus increase the persistence of his infrastructure by building it directly on the host. Since the image is not stored anywhere, no one will be able to delete it let alone see it. In addition, the image name and possibly its ID are randomly generated and are likely unique to each host. This makes it difficult for defenders to add the image to a shortlist in order to retain it. Therefore, having preliminary information of this image or its identifier would be inefficient.

However, using a Dynamic Threat Analysis (DTA) analyzer that looks for patterns of behavior can help defenders detect these types of attacks. Additionally, this technique emphasizes the importance of a continuous dynamic sweep cadence in cloud native environments.

In the diagram below, here is how the attacker proceeds: