Misconfigured Docker API endpoints allow attackers to deliver DDoS botnet agent

The oracle.sh executable was originally written in Python code and was compiled with Cython (C-Extensions for Python). The code implements several different DDoS methods including TCP, UDP, and SYN packet floods, as well as target specific variations that aim to defeat various defenses.

For example, the standard UDP flood involves 40,000-byte packets that are fragmented because of the packet size limit of UDP creating an additional computational overhead on the target required to reassemble the fragments. However, the botnet also implements UDP floods with 18-, 20-, and 8-byte packets. These are launched with the commands called FIVE, VSE, and OVH and seem to be targeted at FiveM servers, Valve’s Source game engine, and French cloud computing company OVH.

The botnet also implements a Slowloris-type attack where it opens many connections to a server and continuously sends small amounts of data to keep those connections open. The bot client connects to a command-and-control server using basic authentication based on a hardcoded key, sends basic information about the host system, and listens for commands.

“The portability that containerization brings allows malicious payloads to be executed in a deterministic manner across Docker hosts, regardless of the configuration of the host itself,” the Cado researchers said. “Whilst OracleIV is not technically a supply chain attack, users of Docker Hub should be aware that malicious container images do indeed exist in Docker’s image library – an issue that seemingly won’t be rectified in the near future.”

The security firm advises organizations to periodically assess the Docker images they pull from Docker Hub to make sure they haven’t been Trojanized. Additionally, they should make sure all the APIs and management interfaces of cloud technologies such as Jupyter, Docker, and Redis are secured with authentication and protected by firewall rules.