Threat Actors Exploit Docker Engine API

Publicly accessible Docker Engine API instances have become the target of a campaign aiming to enlist machines into a distributed denial-of-service (DDoS) botnet named OracleIV.

It has been observed that attackers take advantage of misconfigurations in Docker containers to distribute Python malware compiled as an ELF executable. The attack chain reveals that attackers retrieve a shell script named ‘Oracle. sh’ from a command-and-control (C&C) server. Before initiating malware infiltration, attackers scan through HTTP requests to identify security vulnerabilities. To avoid detection, the threat operates as a background service independent of the current user session.

Additionally, the DDoS malware XorDdos, infecting Linux devices, has resurfaced in 2023. This malicious software transforms Linux devices into zombies for subsequent DDoS attacks on selected targets.

Exposed Docker instances have become appealing targets in recent years, often exploited for cryptocurrency piracy campaigns. Palo Alto Networks Unit 42 reported that the OracleIV campaign began in late July 2023 and peaked around August 12, 2023.

DockerHub users are encouraged to regularly assess images obtained from the registry to ensure they are not tainted with malicious code. Consistent with other attacks leveraging misconfigured services exposed to the internet (e.g., Jupyter, Redis, etc.), Cado researchers strongly encourage users of these services to periodically review the risks they face and implement network defenses accordingly.

Share This: