CrowdStrike: DoS Attack Against Russia Uses Containers
CrowdStrike today revealed that it has detected the surreptitious use of containers to launch distributed denial-of-service (DDoS) attacks against IT assets in Russia and Belarus.
A Docker honeypot set up by CrowdStrike, a managed security services provider, uncovered two different Docker images targeting Russian and Belarusian websites in a denial-of-service (DoS) attack. The two images have been downloaded over 150,000 times and target domains identified as targets by the Ukraine IT Army (UIA), an ad hoc group of cybersecurity professionals that are lending their expertise to help defend Ukraine.
Adam Meyers, senior vice president of intelligence at CrowdStrike, says the issue is a potential threat to organizations that may find their IT infrastructure is being used to help launch these attacks without their knowledge. Once cybersecurity analysts within Russia and Belarus determine the source of the attacks, those countries—or agents acting on their behalf—may launch counterstrikes to disable that IT infrastructure, he notes. In effect, organizations would become collateral damage as the conflict between Russia and Ukraine continues to escalate, adds Meyers.
Between February 27 and March 1, 2022, Docker Engine honeypots—set up by CrowdStrike to identify cyberattacks being launched using containers—were compromised four times to execute two different Docker images targeting Russian and Belarusian websites with a DoS attack. The honeypot was compromised via an exposed Docker Engine API, a technique commonly used to compromise misconfigured container engines.
The first Docker image that was observed in three out of the four incidents—called abagayev/stop-russia—is hosted on Docker Hub. The Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash 6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453 that uses HTTP-based requests to stress-test a website. In this case, this tool was abused as a DoS tool that starts automatically when a new Docker image-based container is created. Upon starting, the target-selection routine picks a random entry from a hard-coded target list. Later versions of this Docker image alternatively pick one of the first 24 entries of the target list based on the current hour.
The second Docker image (deployed on February 28, 2022) is named erikmnkl/stoppropaganda. This image has been downloaded over 50,000 times from Docker Hub. The image contains a custom Go-based DoS program named stoppropaganda that has the following SHA256 hash 3f954dd92c4d0bc682bd8f478eb04331f67cd750e8675fc8c417f962cc0fb31f and sends HTTP GET requests to a list of target websites that overloads them with requests. In addition to targets in Russia and Belarus, these images also target news sites in Lithuania.
Meyers says that many organizations are not aware of the extent to which the container infrastructure they are using can be compromised. Most containers are deployed by developers that don’t have a lot of cybersecurity expertise. Many of them assume that because a container typically runs only for a few seconds, these artifacts are relatively secure. The issue is that cybercriminals are getting more adept at creating rogue containers capable of compromising the infrastructure upon which legitimate containers depend.
It’s not clear to what degree containers are now being employed to launch cyberattacks but, like it or not, many organizations may soon find they have been unwittingly pulled into a conflict that was not of their making.
