A large scale botnet attack revealed lately, targeting exposed Docker servers on most popular cloud platforms.
Publicly open Docker API is used to spawn a container instance and use it for malicious purposes. The attack is going further by mapping host root file system to the container directory. It is used then to get full control over host and perform additional activities through Linux crontab system. You don’t need to be explicitly targeted by the attack, since it uses a broad scan and will try to access any Docker API accessible via the public network.
Interestingly enough, while various active cyber defense tools try to identify and stop sophisticated attacks, most real life exploits are possible due to basic misconfiguration and zero days present in production mode systems. With only two basic checks one can recognize the security flaws and keep the attacker away:
- Ensure TLS authentication is enabled for any Docker daemon port
- Regularly scan your host servers and check them for container instances mapping Linux system folders
Hardenite Audit will perfectly fit the job as it can perform an automatic security audit on Linux servers running Docker, scanning both host and containers running on it. It will recognize the flaws, report them and suggest relevant fixes.