The hottest PaloAlto discloses unsafe docker
2022-09-29- Detail
Palo Alto discloses: the attacker's strategy and technology in the insecure docker daemon
16:04:30 Author: Palo Alto networks threat intelligence team unit 42 source: CTI forum comment: 0 Click:
the summary of the latest blog post is as follows:
between September 2019 and December 2019, The researchers of Palo Alto networks threat intelligence team unit 42 regularly scan and collect the docker host metadata exposed to the Internet (largely due to users' unintentional), This study revealed that yu'e Bao once publicly shouted out "The expected annualized yield is 7%. Attackers use some strategies and technologies in the infected docker engine. In our research, we found a total of 1400 insecure docker hosts, 8673 active containers, 17927 docker images and 15229 volumes. Figure 1 shows the location distribution of docker guarding processes, and Figure 2 shows the docker version and operating system type used. After our team informed the docker team of this situation, the docker group The team immediately worked quickly with unit 42 to remove malicious images
Figure 1: exposed unsafe docker host location
Figure 2 Unsafe docker host version (left) and operating system (right)
in the past few years, container technology has gained great popularity, and is becoming the mainstream method of packaging, delivery and deployment of new applications. Although this technology is developing rapidly and being adopted, it has also become an important target of attackers
although most malicious activities involve mining hijacking (mostly for Monroe coins), some infected docker engines are used to launch other attacks or install hacker programs on the host if the high-end core technology is not mastered. Sensitive information, such as application credentials and infrastructure configuration, can also be found in public logs. An interesting strategy we often see is that an attacker installs the entire host file system on a container and accesses the host operating system (OS) from the container to read/write to it
we divide the observed malicious activities into the following four categories:
malicious images are first pushed to the public registry. Then pull the image and deploy it on the insecure docker host
2. Deploy benign container images and download malicious payloads at runtime
the benign image has been deployed on the docker host. Then download and execute the malicious payload in the benign container
3. Deploy malicious loads on the host
an attacker will mount the entire host file system onto a container, and then access the host file system from that container
4. Get sensitive information from docker logs
attackers will crawl docker logs to find sensitive information, such as credentials and configuration information
four kinds of malicious activities observed in Figure 3
conclusion
this study provides a first-hand general view of the strategies and technologies used by attackers when destroying the container platform. We not only studied the malicious activities in the container platform, but also studied the countermeasures needed to detect and prevent these activities. Since most vulnerabilities are caused by the accidental exposure of insecure docker daemons to the Internet, some defense strategies that can effectively mitigate these vulnerabilities include:
when configuring TLS on the docker daemon socket, always enforce two-way authentication to improve toughness
use UNIX socket to communicate locally with the docker daemon, Or use SSH to connect to the remote docker daemon
only allow the client IP in the white list to access the docker server
enable content trust in docker, so as to only pull the signed and verified images
scan the vulnerabilities and malicious code in each container image
deploy runtime protection tools to monitor running containers
if you are a Palo Alto networks customer, you will get the following protection:
prism cloud vulnerability scanner can detect vulnerable or malicious code and block it during construction
prism cloud compute continuously monitors containers and hosts during runtime
for details of this study, please check the original English content:
about Palo Alto networks
as a global network security leader, Palo Alto networks (Palo Alto networks) is using its advanced technology to reshape the cloud centric future society and change the way humans and organizations operate. Our mission is to become the preferred network security partner and protect people's digital lifestyle. With our continuous innovation and breakthroughs in artificial intelligence, analysis, automation and orchestration, we help our customers cope with the world's most serious security challenges. By delivering integrated platforms and promoting the continuous growth of partner ecosystems, we have always been at the forefront of security, escorting tens of thousands of organizations in cloud, network and mobile devices. Our vision is to build an increasingly secure world
- ·Notes from Africa- Rivers of life (and catfish) -
- ·Looking for some fun- Try roller skating at Storyb
- ·UK consumer confidence rises to highest level sinc
- ·A week to forget - Today News Post
- ·High housing prices may push middle class out of m
- ·VALOREO startup raises $30 million for Latin Ameri
- ·The perfect Crème caramel - Today News Post
- ·Best gadgets on offer this Black Friday - The New
LINK
Copyright © 2011 JIN SHI