Exposed Docker Daemons Fuel DDoS Botnet
The for-hire platform leverages legitimate cloud-native tools to make detection and disruption harder for defenders and SOC analysts.
Explore the latest Docker security news, updates, and best practices to safeguard your containers and applications with our information security insights.
Search across headline titles and summaries.
Background for this topic.
Docker is a platform for building, distributing, and running applications as containers. An image packages application code and dependencies; Docker Engine starts it as an isolated process that shares the host’s operating-system kernel, rather than as a full virtual machine. The Docker API and image registries connect local or automated build and deployment workflows.
Security depends on both the daemon and the images it runs. Access to the Docker daemon or its socket can provide extensive control of the host, so the API should not be unnecessarily exposed and socket mounts should be tightly restricted. Privileged containers, excessive Linux capabilities, and broad host filesystem mounts weaken isolation. Image vulnerabilities or malicious dependencies can enter through the build and distribution chain; use trusted, minimal bases, pinned dependencies, vulnerability scanning, provenance controls, and regular rebuilds. Do not place secrets in image layers. Rootless mode and restrictive security profiles can reduce the consequences of a compromised container.
Weekly headline count for the current query.
The for-hire platform leverages legitimate cloud-native tools to make detection and disruption harder for defenders and SOC analysts.
Developers maintaining the images made the "intentional choice" to leave the artifacts available as "a historical curiosity," given the improbability they'd be exploited.
The attack is similar to previous campaigns by an actor called Commando Cat to use misconfigured APIs to compromise containers and deploy cryptocurrency miners.
Attackers are taking advantage of misconfigured containers to deploy cryptocurrency mining software.
The purported metadata for each these containers had embedded links to malicious files.
"Spinning YARN" cyberattackers wielding a Linux webshell are positioning for broader cloud compromise by exploiting common misconfigurations and a known Atlassian Confluence bug.
The threat actor behind the campaign is still unknown, but it shares some similarities with other cyptojacking groups.
The four security vulnerabilities are found in Docker and beyond, and one affecting runC affects essentially every cloud-native developer worldwide.
Cyberattackers are exploiting Docker instances to drop the bot-tastic 9hits Web traffic generator and "earn" valuable credits that can be turned into cash.
Researchers found that the private keys and secrets they discovered being exposed within the Docker framework are already being used in the wild.
A new ruleset from Bazel, an open source build and test tool from Google, allows developers to create Docker images and generate software bills of materials about what is inside the containers.
Cybercriminal groups are targeting misconfigured Docker and Kubernetes clusters — or just automating the sign-up process for free trial accounts — to build infrastructure for cryptomining.
Slack, Docker, Kubernetes, and other applications that allow developers to collaborate have become the latest vector for software supply chain attacks.
Honeypot activity exposed two credentials that the threat actor is using to host and distribute malicious container images, security vendor says.
Public Travis CI logs loaded with GitHub, AWS, Docker Hub account tokens, and other sensitive data could be leveraged for lateral cloud attacks.
Cloud containers are increasingly part of the cybercrime playbook, with researchers flagging ongoing scanning for Docker weaknesses along with rapid exploitation to infect systems with coin-miners, denial-of-service tools, and ransomware.