Warning over Graboid cryptojacking worm that spreads via insecure Docker software containers

The worm moves in small bursts, but remains relatively inept overall

Security researchers have discovered a new cryptojacking worm, dubbed Graboid, which is spreading via insecure containers running on the Docker Engine.

According to researchers at Unit 42 of Palo Alto Networks, the worm was discovered in the images on Docker Hub, and has infected more than 2,000 unsecured Docker Engine (Community Edition) hosts so far.

A unique feature of the worm is that it moves in small bursts of speed; however, its coding appears somewhat inept, thankfully limiting its effectiveness as malware.

The researchers claimed that Graboid is exploiting a lack of proper security settings by users of Dock in order to propagate.

The actors behind the worm "gained an initial foothold through unsecured Docker daemons," where a Docker image with malicious scripts was installed to run on the compromised host. Then, the malware was downloaded from command and control (C2) servers and deployed on other insecure servers.

Graboid utilises the infected hosts to mine for the Monero cryptocurrency and regularly searches for new vulnerable hosts. It randomly selects the next target and then infects it with the worm.

The initial malicious Docker image has been downloaded more than 10,000 times, according to the researchers, while the worm has been downloaded more than 6,500 times.

Presence of an image named "gakeaws/nginx" in the image build-history suggests infection by Graboid.

Unit 42 found that more than 50 per cent of the vulnerable hosts are located in China, while about 14 per cent are based in the US. Ireland accounts for four per cent of the vulnerable hosts, according to researchers.

The researchers said they conducted a simulation of the worm (assuming that 70 per cent of the hosts are available at any given time) and found that it would take less than 60 minutes to infect 1,400 vulnerable hosts.

Unit 42 researchers are currently working with the Docker team to eliminate the malicious container images, but warn that the threat of future infections from variants remains.

Companies have been advised to lock down their containers and Docker hosts. Users should also ensure that they connect to the docker daemon with SSH, and don't use Docker images from unknown maintainers or repositories.

This is not the first instance of hackers exploiting a vulnerability or improper security settings on Docker to infect systems.

In May, researchers warned that all current versions of Docker were vulnerable to a race condition bug, which could enable attackers to acquire read-write access to any file or path on a host system from within a container.

In June, Unit42 researchers said that more than 40,000 Kubernetes and Docker containers were discoverable on the internet - with many misconfigured exposing personal information on databases that should not be publicly accessible.

Earlier in April, Docker admitted to a breach of its Hub database of container images, exposing the details of approximately 190,000 users.