The hottest PaloAlto discloses unsafe docker

  • Detail

Palo Alto discloses: the attacker's strategy and technology in the insecure docker daemon

16:04:30 Author: Palo Alto networks threat intelligence team unit 42 source: CTI forum comment: 0 Click:

the summary of the latest blog post is as follows:

between September 2019 and December 2019, The researchers of Palo Alto networks threat intelligence team unit 42 regularly scan and collect the docker host metadata exposed to the Internet (largely due to users' unintentional), This study revealed that yu'e Bao once publicly shouted out "The expected annualized yield is 7%. Attackers use some strategies and technologies in the infected docker engine. In our research, we found a total of 1400 insecure docker hosts, 8673 active containers, 17927 docker images and 15229 volumes. Figure 1 shows the location distribution of docker guarding processes, and Figure 2 shows the docker version and operating system type used. After our team informed the docker team of this situation, the docker group The team immediately worked quickly with unit 42 to remove malicious images

Figure 1: exposed unsafe docker host location

Figure 2 Unsafe docker host version (left) and operating system (right)

in the past few years, container technology has gained great popularity, and is becoming the mainstream method of packaging, delivery and deployment of new applications. Although this technology is developing rapidly and being adopted, it has also become an important target of attackers

although most malicious activities involve mining hijacking (mostly for Monroe coins), some infected docker engines are used to launch other attacks or install hacker programs on the host if the high-end core technology is not mastered. Sensitive information, such as application credentials and infrastructure configuration, can also be found in public logs. An interesting strategy we often see is that an attacker installs the entire host file system on a container and accesses the host operating system (OS) from the container to read/write to it

we divide the observed malicious activities into the following four categories:

1. Deploy container images with malicious code

malicious images are first pushed to the public registry. Then pull the image and deploy it on the insecure docker host

2. Deploy benign container images and download malicious payloads at runtime

the benign image has been deployed on the docker host. Then download and execute the malicious payload in the benign container

3. Deploy malicious loads on the host

an attacker will mount the entire host file system onto a container, and then access the host file system from that container

4. Get sensitive information from docker logs

attackers will crawl docker logs to find sensitive information, such as credentials and configuration information

four kinds of malicious activities observed in Figure 3


this study provides a first-hand general view of the strategies and technologies used by attackers when destroying the container platform. We not only studied the malicious activities in the container platform, but also studied the countermeasures needed to detect and prevent these activities. Since most vulnerabilities are caused by the accidental exposure of insecure docker daemons to the Internet, some defense strategies that can effectively mitigate these vulnerabilities include:

when configuring TLS on the docker daemon socket, always enforce two-way authentication to improve toughness

use UNIX socket to communicate locally with the docker daemon, Or use SSH to connect to the remote docker daemon

only allow the client IP in the white list to access the docker server

enable content trust in docker, so as to only pull the signed and verified images

scan the vulnerabilities and malicious code in each container image

deploy runtime protection tools to monitor running containers

if you are a Palo Alto networks customer, you will get the following protection:

prism cloud vulnerability scanner can detect vulnerable or malicious code and block it during construction

prism cloud compute continuously monitors containers and hosts during runtime

for details of this study, please check the original English content:

about Palo Alto networks

as a global network security leader, Palo Alto networks (Palo Alto networks) is using its advanced technology to reshape the cloud centric future society and change the way humans and organizations operate. Our mission is to become the preferred network security partner and protect people's digital lifestyle. With our continuous innovation and breakthroughs in artificial intelligence, analysis, automation and orchestration, we help our customers cope with the world's most serious security challenges. By delivering integrated platforms and promoting the continuous growth of partner ecosystems, we have always been at the forefront of security, escorting tens of thousands of organizations in cloud, network and mobile devices. Our vision is to build an increasingly secure world

Copyright © 2011 JIN SHI