In a very interesting development, the worlds of cryptojacking malware, worm-type mechanisms for direct propagation, and containerized workloads have collided with the news that the container-specific worm dubbed "Graboid" - (after the enormous sandworms featured in favorite 1990 B-movie Tremors) was discovered this month.
Cryptojacking malware is nothing new, in the past few years (as crypto-currency became increasingly popular) - a typical aim became to utilize the CPU resources of compromised machines to mine for a specific cryptocurrency (in this case Monero) rather than ransom for control of the host - or go after IP/card information directly.
There are some key aspects of the Graboid worm that grabbed (sorry) my attention. Namely:-
1:- The worm targets insecure, open Docker Engine instances; and utilizes them both for further spread and the crypto-mining itself. A quick shodan.io search picks these up easily.
2:- The random nature of the subsequent host choice and mining initiation – making detection more difficult.
3:- That both the initial infection and subsequent spread can be contained using a segmentation solution that covers both hosts and containers.
To expand on these points – the vector is to internet accessible docker hosts; which – once connected to; are ordered to download a malicious docker image. This image contains a client tool used to communicate and spread to other docker hosts.
Spread from here is via C2-downloaded list of vulnerable IPs, and the interesting point is that it’s not a straight infection of all other accessible docker hosts in the same fashion – random hosts are picked to actually have the hosted malicious containers stopped. Simultaneously – crypto-jacking containers are started on other hosts. This random movement makes it harder to pinpoint compromised hosts – infection does not mean immediate crypto-jacking activity.
Considering the methods of prevention and containment (sorry again!) of this type of threat, the most important tenant is a holistic segmentation capability – treating containers as first-class citizens in terms of visualization of traffic flows to and from them; and granular segmentation capability that allows the same policy creation and enforcement on bare-metal servers, VMs, and containers.
The initial infection vector is something the Illumio platform can visualize and prevent/control. Subsequent inter(and intra)-container traffic is specifically manageable to prevent the worm aspect of this kind of malware being successful if there is the compromise of a container – or a malicious container started on the docker host, or even the docker host itself being compromised. The inherent zero-trust nature of the Illumio policy model avoids the danger presented by an arbitrarily-open network. Illumio's Adaptive Security Platform helps prevent the lateral spread.
For more detail on the specifics of how the Illumio Adaptive Security Platform secures containerized workloads – see our live segmentation demo for containerized workloads here.
Docker Containers Riddled with Graboid Crypto-Worm