Since 2017, criminals have increasingly attacked Docker and Kubernetes systems, which were already widespread by that time. Most of these attacks are extremely simple: cybercriminals scan the network looking for misconfigured systems with open administrator interfaces, and then hijack vulnerable servers and deploy malware on them (for example, for mining cryptocurrency).
While such attacks are commonplace these days, many web developers still don’t understand how to properly configure Docker, leaving their servers vulnerable to attackers. The most common of these errors is to leave API endpoints for remote administration accessible over the Internet without authentication.
In recent years, such vulnerable servers have been actively looking for and infecting malware Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT, and so on, then deploying backdoors or miners on the servers.
Now, experts from the Chinese company Qihoo 360 have discovered a new malware called Blackrota , which also attacks vulnerable Docker servers. The malware is a simple backdoor Trojan that is, in fact, a simplified version of the CobaltStrike beacon implemented in the Go language.
So far only a Linux version of the malware has been discovered, and it is unclear exactly how it is being used. Researchers are not sure if there is a Windows version, if Blackrota is used to mine cryptocurrency, or if cybercriminals need powerful cloud servers for DDoS attacks.
In connection with the discovery of another malware, researchers once again emphasize that Docker is no longer a secondary technology, and almost every day it becomes a target for large-scale attacks. Companies, web developers and engineers using Docker are strongly encouraged to read the official documentation and at least figure out how to properly configure authentication.