Trend Micro researchers have identified a novel cyberattack targeting Docker remote API servers, where malicious actors are leveraging the gRPC protocol over HTTP/2 (h2c) to deploy the SRBMiner cryptominer. This attack facilitates the illicit mining of XRP cryptocurrency, highlighting a significant vulnerability in Docker’s remote management features. The attack begins with the threat actor probing the Docker API to determine its availability and version, which can expose misconfigurations and security weaknesses.
Once the attacker gains access, they initiate a request for a gRPC/h2c upgrade, enabling them to manipulate various Docker functionalities. Through this manipulation, the actor sends requests for health checks and other gRPC methods that allow them to operate within the Docker environment. The attacker then downloads the SRBMiner cryptominer from GitHub, deploying it onto the compromised system to start mining operations. This sophisticated approach effectively evades many security measures typically in place, as it uses legitimate APIs to conduct malicious activities.
As the attack unfolds, the attacker provides their cryptocurrency wallet address, which typically starts with an “r” to indicate it is a Ripple wallet. This method of mining is not only illegal but also raises concerns regarding the security of containerized applications, particularly in how organizations configure their Docker environments. The incident underscores the need for better security protocols and practices to protect against similar cyber threats.
To mitigate the risks associated with such attacks, organizations utilizing Docker are urged to implement stringent security measures. Proper configuration of containers and APIs is essential to reduce vulnerabilities. Additionally, Docker recommends running containers as application users rather than with root privileges and restricting access to trusted sources. Regular security audits and leveraging advanced security solutions, such as Trend Micro’s container security offerings, can further enhance the resilience of Docker environments against these emerging threats.
