Summary:
Threat actors are exploiting misconfigured Docker servers to deploy Gafgyt malware, traditionally targeting IoT devices. This shift in behavior allows attackers to launch DDoS attacks on vulnerable servers. Enhanced security measures are recommended to mitigate these risks.
#GafgytMalware #DockerSecurity #DDoSAttacks
Threat actors are exploiting misconfigured Docker servers to deploy Gafgyt malware, traditionally targeting IoT devices. This shift in behavior allows attackers to launch DDoS attacks on vulnerable servers. Enhanced security measures are recommended to mitigate these risks.
#GafgytMalware #DockerSecurity #DDoSAttacks
Keypoints:
- Trend Micro Research identified Gafgyt malware targeting misconfigured Docker Remote API servers.
- The malware allows attackers to perform DDoS attacks on the servers.
- Gafgyt has shifted from targeting IoT devices to exploiting Docker servers.
- Attackers create Docker containers using legitimate images to deploy the malware.
- Gafgyt botnet binaries are hardcoded with command-and-control server IP addresses.
- Attackers use privilege escalation techniques to gain control over the host system.
- Multiple DDoS attack protocols are utilized, including UDP, TCP, and HTTP.
- Recommendations include securing Docker servers and monitoring for unusual activities.
MITRE Techniques
- External Remote Services (T113): Exploits exposed services to gain initial access to the system.
- Deploy Container (T1610): Uses container deployment to execute malicious binaries.
- Command and Scripting Interpreter: Unix Shell (T1059.04): Executes commands via the Unix shell.
- Escape to Host (T1611): Escalates privileges by accessing the host system from within a container.
- Application Layer Protocol (T1071): Communicates with command-and-control servers using application layer protocols.
- Ingress Tool Transfer (T1105): Transfers tools to the compromised system.
- System Network Configuration Discovery (T1016): Discovers network configurations for further exploitation.
- Network Denial of Service (T1498): Conducts denial-of-service attacks on networked resources.
IoC:
- [IP Address] 178.215.238.31
- [File Name] rbot
- [File Name] atlas.i586
- [File Name] cve.sh
- [IP Address] 8.8.8.8
Full Research: https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-docker-remote-api-servers.html