Aqua Security has issued an alert that notes the volume of cybersecurity attacks designed to exploit misconfigured open Docker Daemon application programming interface (API) ports is rising sharply.
Specifically, the company reports the cybercriminals are inserting an Ubuntu container loaded with encrypted kinsing malware, which is employed to both run cryptominer software and spread that malware to other containers and hosts.
Idan Revivo, head of security research for Aqua Security, said that while misconfigured ports have always been an issue, it appears cybercriminals are now actively scanning for these ports as the volume of Docker containers deployed approaches a level of critical mass.
The kinsing malware is especially lethal because a spre.sh shell script that the malware downloads is used to laterally spread the malware across the container network. To discover potential targets and locate the information it needs to authenticate, the script passively collects SSH data. The malware then attempts to connect to each host, using every possible user and key combination to download another shell script and instance of the kinsing malware on other hosts or containers in the network.
Revivo said IT organizations would be well-advised to rely on additional layers of security that go beyond basic static scanning on containers. As these days API security is often overlooked, cybersecurity specialists should also make certain container APIs and runtime environments are secure.
The warning from Aqua Security regarding API ports comes at a time when responsibility for cybersecurity is in a state of flux within many IT organizations. In theory, developers are assuming more responsibility for implementing cybersecurity controls within the context of a DevSecOps process. However, cybersecurity professionals are still responsible for verifying controls are actually implemented. To make matters more challenging, it turns out most cloud security issues can be traced back to misconfigurations that result from developers attempting to programmatically provision cloud infrastructure.
It’s not at a clear to what degree container security concerns might be limiting adoption. On the one hand, containerized applications are generally more secure than monolithic applications because it’s easier to rip and replace compromised containers than it is to patch a monolithic application. However, microservices-based applications built using containers often have a lot of dependencies that can make securing all the endpoints and runtimes involved a significant challenge.
Regardless of the level of difficulty, however, it’s clear that more containerized applications are being deployed in production environments every day. Many cybersecurity teams are not getting much visibility into these applications before they are deployed in a production environment because many DevOps teams are concerned cybersecurity teams will slow down the rate at which code is being released. The assumption is that vulnerabilities will be prioritized and addressed a part of a continuous cycle of updates to the application as they are discovered.
Naturally, it’s not clear to what degree organizations will remain comfortable with that status quo. However, the one thing that is for certain is that as cybercriminals continue to target Docker containers, a long-simmering debate about container security is about to come to a head.