DDoS Protection , Security Operations
Pro-Ukraine Groups Exploit Containers to Launch DoS Attacks
Unsuspecting Hosts Are Potential Targets for RetaliationContainers and cloud-based resources are being used to launch denial-of-service, or DoS, attacks against Russian, Belarusian and Lithuanian websites. In a new report, researchers at cybersecurity firm CrowdStrike say that through their Docker Engine honeypots, they observed two different Docker images targeting these assets between Feb. 27 and March 1, 2022.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
Adam Meyers, senior vice president of intelligence for CrowdStrike, tells Information Security Media Group that the Docker Engine honeypots were specifically set up by the company to detect cyberattacks that would leverage containers as launchpads.
The researchers say two images have been downloaded more than 150,000 times and target domains identified as targets by the Ukrainian IT Army - or IT Army of Ukraine - a group of cybersecurity professionals who are providing support to Ukraine in the online aspects of its war with Russia. Meyers confirms this and says, "This is part of the broader movement from hacktivist groups due to the invasion of Ukraine."
The target list of this actor includes government, military, media, finance, energy and retail sector websites in Belarus and Russia and news sites in Lithuania, among others, the researchers say.
The researchers say they have "high confidence" that this target list overlaps with domains reportedly shared by the Ukraine government-backed IT Army that has called upon its members to perform DDoS attacks against Russian targets since the beginning of the Russian invasion.
Technical Analysis
The researchers say the initial compromise of the honeypots took place via an exposed Docker Engine API, a technique used to compromise misconfigured container engines. This technique has also been used recently by LemonDuck malware to mine cryptocurrency on Microsoft and Linux systems (see: LemonDuck Malware Evolves Into Major Cryptomining Botnet)
"In this instance, the honeypots were not hardened, leaving them vulnerable to being taken advantage of by the threat actors," Meyers says. He tells ISMG that the container that was deployed ran DoS attacks against Belarus, Russia and Lithuania and that the threat actors target such unsecured Docker instances and deploy without authorization.
One potential consequence of exploiting this attack vector is that "an organization with unsecured Docker instances may find themselves an unwitting participant in the current cyberwarfare situation in this scenario, and potentially face retaliatory attacks from Russia-nexus cyber actors," Meyers says.
First Docker Image
The first Docker image, called abagayev/stop-russia
, is hosted on the Docker Hub and has been downloaded more than 100,000 times, the researchers say. This Docker image contains a Go-based HTTP benchmarking tool named bombardier with a SHA256 hash "6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453," which uses HTTP-based requests to stress-test a website. "In this case, this tool was abused as a DoS tool that starts automatically when a new Docker image-based container is created," the researchers say.
An earlier version of this Docker image picked a random entry from a hard-coded target list, but the later versions alternatively started picking one of the first 24 entries of the target list based on the current hour, the researchers say.
Second Docker Image
The second Docker image that was deployed on Feb. 28, 2022, is named erikmnkl/stoppropaganda. According to the researchers, this image has been downloaded over 50,000 times from the Docker Hub.
Similar to the first one, this image also contains a custom Go-based DoS program named stoppropaganda that has the following SHA256 hash "3f954dd92c4d0bc682bd8f478eb04331f67cd750e8675fc8c417f962cc0fb31f." It sends HTTP GET requests to a list of target websites that overloads them with requests, the researchers say.
Reason for Docker Exploitation
Meyers tells ISMG that the use of Dockers in many organizations is relatively new and as a result, they are often not properly secured. Threat actors prey on this and leverage the Dockers to launch cyberattacks via the unsuspecting host. Other threats related to this particular attack vector include cryptocurrency mining, which he says people should be aware of (see: Malicious Docker Images Used to Mine Monero).
When asked about what can be done to prevent these attacks, Meyers tells ISMG that apart from using specialized services, there is "a general lack of awareness around threats to Docker as it remains a misunderstood threat vector."
He says, "Configuration management and cloud security concerns remain huge issues surrounding this vector. Organizations need to be securing Docker from the get-go and not thinking of security as an afterthought. Threat actors understand how to leverage misconfigured Docker infrastructure to launch attacks and will continue to use this to their advantage."