Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Factor Cost Efficiency into Platform Engineering for Growth, Profitability
Mar 27th 2023 10:00am, by Omer Hamerman
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
A Is for OpenStack Antelope
Mar 22nd 2023 7:41am, by Steven J. Vaughan-Nichols
Grab a Snapshot of Your Container Image with Checkpoint
Mar 11th 2023 6:00am, by Jack Wallen
How to Identify Your Wasteful Processes
Mar 6th 2023 7:00am, by Sean Scott
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
Inspect Container Images with the docker scan Command
Mar 25th 2023 6:00am, by Jack Wallen
Building and Securing Containers with Slim.ai
Mar 24th 2023 11:59am, by Steven J. Vaughan-Nichols
Catching up with the Founder and CEO of Portainer
Mar 24th 2023 4:00am, by Jack Wallen
Check for Container Image Vulnerabilities with Trivy
Mar 18th 2023 6:00am, by Jack Wallen
What Wasm Needs to Reach the Edge
Mar 27th 2023 9:00am, by B. Cameron Gain
What Are Time Series Databases, and Why Do You Need Them?
Mar 27th 2023 5:00am, by Robert Kimani
Startup pgEdge Tackles the Distributed Edge with Postgres
Mar 27th 2023 4:00am, by Susan Hall
Rich Harris Talks SvelteKit and What’s Next for Svelte
Mar 20th 2023 3:00am, by Loraine Lawson
The Distance from Data to You in Edge Computing
Mar 19th 2023 6:00am, by Paul Scanlon
Saga Without the Headaches
Mar 24th 2023 10:00am, by Dominik Tornow
What Is Microservices Architecture?
Feb 23rd 2023 4:22am, by Eric Schabell
Java's History Could Point the Way for WebAssembly
Jan 12th 2023 3:00am, by B. Cameron Gain
Limiting the Deployment Blast Radius
Nov 15th 2022 8:14am, by Steven Lohrenz
Do ... or Do Not: Why Yoda Never Used Microservices
Oct 25th 2022 6:00am, by Samar Abbas
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Palo Alto Networks Adds AI to Automate SASE Admin Operations
Mar 17th 2023 6:00am, by Chris J. Preimesberger
TrueNAS SCALE Network Attached Storage Meets High Demand
Mar 2nd 2023 7:13am, by Jack Wallen
How Secure Is Your API Gateway?
Feb 28th 2023 5:16am, by Andrew Stiefel
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
TriggerMesh: Open Sourcing Event-Driven Applications
Mar 13th 2023 12:14pm, by Jessica Wachtel
Ably Touts Real-Time Starter Kits for Vercel and Netlify
Mar 8th 2023 10:56am, by Loraine Lawson
Going Serverless on AWS Lambda? Recognize Potential Risks 
Mar 6th 2023 5:00am, by Sarabjeet Chugh
Best Practices to Build IoT Analytics
Mar 27th 2023 9:33am, by Zoe Steinkamp
What Are Time Series Databases, and Why Do You Need Them?
Mar 27th 2023 5:00am, by Robert Kimani
The Economics of Database Operations
Mar 23rd 2023 8:25am, by John Page
Digital Anarchy: Abolishing State
Mar 23rd 2023 6:32am, by Tim Banks
ScyllaDB’s Incremental Changes: Just the Tip of the Iceberg
Mar 20th 2023 9:29am, by George Anadiotis
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
No More JavaScript: How Microsoft Blazor Uses WebAssembly
Mar 27th 2023 7:22am, by David Eastman
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by Loraine Lawson
Toolkit Allows JavaScript Devs to Program Embedded Devices
Mar 23rd 2023 11:06am, by Loraine Lawson
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Vercel Brings Logging, Monitoring to Its Observability Suite
Mar 22nd 2023 3:00am, by Jessica Wachtel
Automation: All Fun and Games Until Something Goes Wrong
Mar 27th 2023 10:47am, by Richard Gall
Best Practices to Build IoT Analytics
Mar 27th 2023 9:33am, by Zoe Steinkamp
Getting Developer Self-Service Right
Mar 27th 2023 7:32am, by Aeris Stewart
No More JavaScript: How Microsoft Blazor Uses WebAssembly
Mar 27th 2023 7:22am, by David Eastman
Building and Securing Containers with Slim.ai
Mar 24th 2023 11:59am, by Steven J. Vaughan-Nichols
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by Loraine Lawson
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by Loraine Lawson
What TypeScript Brings to Node.js
Dec 26th 2022 3:00am, by Paul Ferrill
Improve your TypeScript Skills with Type Challenges
Nov 11th 2022 3:00am, by Danni White
What Wasm Needs to Reach the Edge
Mar 27th 2023 9:00am, by B. Cameron Gain
No More JavaScript: How Microsoft Blazor Uses WebAssembly
Mar 27th 2023 7:22am, by David Eastman
WebAssembly Providers Speed Ahead to Fill Serverless Gaps
Mar 24th 2023 2:00am, by B. Cameron Gain
VMware and Other Wasm Players Want WebAssembly 
Mar 23rd 2023 8:52am, by B. Cameron Gain
Serverless WebAssembly for Browser Developers
Mar 22nd 2023 12:26pm, by Matt Butcher
Surprising Results in the 2023 Third-Party App Access Report
Mar 27th 2023 11:26am, by Maor Bin
Unlock the Next Wave of Machine Learning with the Hybrid Cloud
Mar 22nd 2023 10:00am, by Kjell Carlsson
Getting the Most from Kubernetes Autoscaling
Mar 21st 2023 7:06am, by Brian Likosar
ScyllaDB Challenges DynamoDB on Latency and Pricing
Mar 20th 2023 9:00am, by Jessica Wachtel
Multiple Vendors Make Data and Analytics Ubiquitous
Mar 20th 2023 5:00am, by Andrew Brust
Best Practices to Build IoT Analytics
Mar 27th 2023 9:33am, by Zoe Steinkamp
What Are Time Series Databases, and Why Do You Need Them?
Mar 27th 2023 5:00am, by Robert Kimani
Startup pgEdge Tackles the Distributed Edge with Postgres
Mar 27th 2023 4:00am, by Susan Hall
Saga Without the Headaches
Mar 24th 2023 10:00am, by Dominik Tornow
The Speed Layer Design Pattern for Analytics
Mar 24th 2023 8:12am, by Chad Meley
The Next Wave of Big Data Companies in the Age of ChatGPT
Mar 24th 2023 7:40am, by Richard MacManus
Nvidia Hones in on Apple-Like Approach to AI with CUDA
Mar 23rd 2023 7:34am, by Agam Shah
Stopping AI Hallucinations for Enterprise Is Key for Vectara
Mar 23rd 2023 4:00am, by Richard MacManus
Unlock the Next Wave of Machine Learning with the Hybrid Cloud
Mar 22nd 2023 10:00am, by Kjell Carlsson
Get More out of Machine Learning with Data Preprocessing
Mar 21st 2023 5:00am, by Alexander T. Williams
Twitter's Source Code Leak Adds to Elon Musk's Social Media Mess
Mar 27th 2023 1:42pm, by Steven J. Vaughan-Nichols
Surprising Results in the 2023 Third-Party App Access Report
Mar 27th 2023 11:26am, by Maor Bin
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
Inspect Container Images with the docker scan Command
Mar 25th 2023 6:00am, by Jack Wallen
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Automation: All Fun and Games Until Something Goes Wrong
Mar 27th 2023 10:47am, by Richard Gall
Factor Cost Efficiency into Platform Engineering for Growth, Profitability
Mar 27th 2023 10:00am, by Omer Hamerman
Getting Developer Self-Service Right
Mar 27th 2023 7:32am, by Aeris Stewart
Build Software Supply Chain Trust with a DevSecOps Platform
Mar 21st 2023 8:23am, by Diego Lapiduz
Simplify CI/CD with a General-Purpose Software Catalog
Mar 14th 2023 6:24am, by Zohar Einy
Automation: All Fun and Games Until Something Goes Wrong
Mar 27th 2023 10:47am, by Richard Gall
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Will Working from Home Kill the City?
Mar 26th 2023 6:00am, by David Cassel
Catching up with the Founder and CEO of Portainer
Mar 24th 2023 4:00am, by Jack Wallen
5 Myths about Puppet
Mar 23rd 2023 10:18am, by Jain Waldrip
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Simplify CI/CD with a General-Purpose Software Catalog
Mar 14th 2023 6:24am, by Zohar Einy
IBM Donates SBOM Code to OWASP
Mar 7th 2023 7:51am, by Steven J. Vaughan-Nichols
Slim.AI: Automating Vulnerability Remediation for a Shift-Left World
Feb 21st 2023 10:00am, by John Amaral
DevPod: Uber's MonoRepo-Based Remote Development Platform
Jan 26th 2023 3:00am, by Jessica Wachtel
How 2 Founders Sold Their Startup to Aqua Security in a Year
Mar 22nd 2023 1:42pm, by Heather Joslyn
Stephen Thaler Claims He's Built a Sentient AI
Mar 16th 2023 8:10am, by David Cassel
How Tech Leaders Are Managing Anxieties after SVB Failure
Mar 15th 2023 10:59am, by Heather Joslyn and Colleen Coll
Chatops: Where Automation, Collaboration and DevOps Culture Meet
Mar 15th 2023 8:19am, by Blair Rampling
What We Can Learn from Twitter's Outages
Mar 13th 2023 9:00am, by Jennifer Riggins
Automation: All Fun and Games Until Something Goes Wrong
Mar 27th 2023 10:47am, by Richard Gall
Getting Developer Self-Service Right
Mar 27th 2023 7:32am, by Aeris Stewart
Historical Data and Streaming: Friends, Not Foes
Mar 20th 2023 4:00am, by Michael Drogalis
Defining DORA-Like Metrics for Security Engineering
Mar 17th 2023 9:00am, by Daniel Koch
Chatops: Where Automation, Collaboration and DevOps Culture Meet
Mar 15th 2023 8:19am, by Blair Rampling
A Is for OpenStack Antelope
Mar 22nd 2023 7:41am, by Steven J. Vaughan-Nichols
Getting the Most from Kubernetes Autoscaling
Mar 21st 2023 7:06am, by Brian Likosar
Is Cluster API Really the Future of Kubernetes Deployment?
Mar 14th 2023 10:00am, by Steve Francis
Can WebAssembly Solve Serverless's Problems?
Mar 3rd 2023 5:13am, by B. Cameron Gain
5 Things to Consider When Building a Kubernetes Platform
Mar 2nd 2023 10:00am, by Ram Iyengar
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
Reducing the Cognitive Load Associated with Observability
Mar 22nd 2023 6:44am, by Alex Gervais
Vercel Brings Logging, Monitoring to Its Observability Suite
Mar 22nd 2023 3:00am, by Jessica Wachtel
Is Your Incident Response Better Than an Energy Company’s?
Mar 21st 2023 9:04am, by Paige Cruz
Why Audit Logs Are Important
Mar 16th 2023 8:34am, by James Walker
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
AmeriSave Moved Its Microservices to the Cloud with Traefik's Dynamic Reverse Proxy
Sep 8th 2022 2:02pm, by Ann R. Thryft
Can You Now Safely Remove the Service Mesh Sidecar?
Sep 8th 2022 9:19am, by B. Cameron Gain
Containers / Security

New Cryptojacking Worm Found in Docker Containers

A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce).
Oct 22nd, 2019 1:48pm by
Featued image for: New Cryptojacking Worm Found in Docker Containers
Feature image via Unsplash.

A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce).

For anyone who has worked with containers, it should be obvious why this is of utmost importance. In most cases, cryptojacking worms can be discovered and removed with standard software tools. In the case of containers, that is not always (if ever) true. In fact, according to the Unit 42 report, “this type of malicious activity can be difficult to detect.”

As a cryptojacking worm, Graboid malware serves two purposes:

  • Cryptomining
  • Spreading to other vulnerable hosts

How it works looks something like this:

  • That hacker locates an insecure Docker host and sends remote commands to download and deploy a malicious image named pocosow/centos:7.6.1810.
  • Using a malicious script (/var/sbin/bash) within the container, four shell scripts (live.sh, worm.sh, cleanxmr.sh, and xmr.sh) are downloaded from a Command and Control (C2) server.

The four scripts are executed, one at a time, with the following purposes:

  • The live.sh sends the number of available CPUs to the compromised C2 server.
  • The worm.sh script downloads a file that contains a list of IP addresses of hosts with unsecured Docker API endpoints and then randomly chooses one of the addresses as its target to deploy the infected container.
  • The cleanxmr.sh script randomly picks one of the hosts from the list and stops the cryptojacking containers on the target.
  • The xmr.sh randomly picks one of the hosts and deploys another image (gakeaws/nginx), which contains a binary masquerading as nginx.

A Complicated Issue

Malware found within container images poses a significant threat to businesses. When images aren’t vetted and secure, they can contain any number of issues. “Secure and validated delivery is the foundation of enterprise operating system. The software its running should always be taken from trusted sources, but the flood of insecure Docker images is a serious problem,” said SaltStack chief technology officer and founder Thomas Hatch.

With regards to Graboid, Hatch says, “Not only can the Graboid vulnerability spread, but the attack vector it uses is one of the oldest attack vectors out there. It is a simple software delivery hijack.” In other words, what would normally be a simple means of spreading and detecting, has been made exponentially more challenging (on the detecting side of things) due to the attacker using containers.

For any organization that depends upon Docker container images, it has become more crucial than ever to only use trusted sources for those images. However, the onus isn’t only on the images. Hosting servers and networks carry some of the burden as well.

Connor Gilbert, senior product manager at container security firm StackRox, says, “There really isn’t a good reason to expose the Docker engine in this way—it’s almost certainly a configuration mistake on the server and the network firewall (if there is a firewall at all).” In other words, a poorly configured server and network are just as guilty. Gilbert continues, “Leaving the Docker engine API server exposed without authentication lets people run whatever containers they want on your server if they can contact it. Because of the privileges the Docker engine has, this is like leaving the root account available over SSH with no password.”

What Can Be Done?

We’ve reached a point with containers where security must be constantly on the front burner. Antivirus and anti-malware applications currently have no means of analyzing and cleaning containers and container images. That’s the heart of the issue. And even tools like Harbor are only capable of determining if an image contains a vulnerability (not fixing them).

Because of this, it is absolutely critical to only use trusted images and secure the API servers for the likes of Docker and Kubernetes. As a container administrator, you must fully understand the tools available and the best practices for the tools you use.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Deploy MongoDB in a Container, Access It Outside the Cluster Docker Swarm, a User-Friendly Alternative to Kubernetes Analyst Report: What CTOs Must Know about Kubernetes and Containers  Grab a Snapshot of Your Container Image with Checkpoint From a Fan: On the Ascendance of PostgreSQL
TNS owner Insight Partners is an investor in: Unit, Docker.
RELATED STORIES
What Is the Docker .env File and How Do You Use It? What Is Microservices Architecture? Kubernetes Needs to Take a Lesson from Portainer on Ease-of-Use From a Fan: On the Ascendance of PostgreSQL Deploy a Persistent Kubernetes Application with Portainer
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.