Cyberbytes Daily

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware

The Gafgyt malware (often referred to as Bashlite or Lizkebab) has expanded its attack scope by targeting publicly exposed Docker Remote API servers.

Gafgyt malware, also known as Bashlite, and Mirai have targeted millions of vulnerable IoT devices in recent years.  The new finding of this malware attacking Docker Remote API servers indicates a significant change in its behavior.

To spread the malware, the attackers, in this instance, created a Docker container based on a legitimate “alpine” Docker image and targeted publicly accessible misconfigured Docker remote API servers. 

In addition to deploying Gafgyt malware, the attackers deployed Gafgyt botnet malware to infect the victim. The attacker might initiate a DDoS attack on the targeted servers upon deployment.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

How Attackers Exploit Exposed Docker Remote API Servers?

Trend Micro reports that the attacker initially attempted to install the Rust-written Gafgyt botnet binary, named “rbot,” in a Docker container created via the “alpine” docker image.

Attack Flow

The attacker is utilizing “chroot” to modify the container’s root directory to “/mnt” and the “Binds”:[“/:/mnt”] option. With this command, the attacker mounts the host’s root directory (/:) to the container’s /mnt directory.

With this command, the container can access and change the host’s filesystem as if it were part of its own. The attacker may be able to take over the host machine and increase privileges by doing this.

When the malicious bot successfully communicates with the C2 server, it parses the response and uses HTTP, TCP, and UDP to execute a DDoS attack.

If the attacker was unable to create a container after the container creation request failed, they attempted to deploy another container using a different Gafgyt binary but still based on the same Alpine Docker image.

Researchers say that the code uses Google’s DNS server 8.8.8.8 as a target IP to decide which local IP address and network interface the system will utilize for outgoing communication. 

Once the socket is created and a connection is attempted, the local IP address of the interface that will be used to communicate with Google’s DNS server is obtained

Recommendation

  • Protect Docker Remote API servers from unauthorized access by setting robust access restrictions and authentication procedures in place.
  • keep an eye on Docker Remote API servers for any odd behavior.
  • Adopt standard practices for container security, including avoiding “Privileged” mode and thoroughly checking container images and configurations before deployment.
  • Keep yourself updated on Docker and related software security fixes and updates.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The post Hackers Exploit Docker Remote API Servers To Inject Gafgyt Malware appeared first on Cyber Security News.

Tags

About Author

Chad Barr

Chad Barr is a visionary and executive leader, blending over two decades of expertise with a unique ability to demystify complex technical concepts. As a cybersecurity leader, prolific author, and director at AccessIT Group, Chad has empowered organizations across diverse industries to build resilient security frameworks. His engaging writing, speaking engagements, and thought leadership inspire proactive cybersecurity practices, making him a trusted voice in the ever-evolving digital landscape.

My Books

Cybersecurity News

  • Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers
    by [email protected] (The Hacker News) on January 9, 2025 at 5:29 pm

    Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data. “Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database contents and arbitrary files, as well as create and

  • 5 Benefits Of A Malware Sandbox For Business Security
    by Balaji N on January 9, 2025 at 5:27 pm

    Imagine an employee receiving an email that looks completely legitimate, maybe it’s a fake invoice or a shipping update. They click on the attachment, and just like that, your network could be infected with ransomware, sensitive customer data stolen, or your entire system brought to a halt. It’s a nightmare scenario, but one that happens The post 5 Benefits Of A Malware Sandbox For Business Security appeared first on Cyber Security News.

  • Rapid Cyber Incident Response: Why Speed, Quality, and the Right Tools Matter
    by Kaaviya Ragupathy on January 9, 2025 at 4:48 pm

    As you probably know by now, it doesn’t really matter how big in size your business is, you’re going to be up against the risk of cyberattacks in some form or another. These can range in scope and scale with threats such as ransomware and phishing campaigns right through insider threats and advanced persistent attacks. The post Rapid Cyber Incident Response: Why Speed, Quality, and the Right Tools Matter appeared first on Cyber Security News.

  • Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace
    by Kaaviya Ragupathy on January 9, 2025 at 4:32 pm

    Criminal IP, a globally recognized Cyber Threat Intelligence (CTI) solution by AI SPERA, has launched its Criminal IP Malicious Link Detector add-in on the Microsoft Marketplace. This cutting-edge tool provides real-time phishing email detection and URL blocking for Microsoft Outlook, adding an essential layer of email security in the face of increasing cyber threats. Generative AI advancements The post Criminal IP Launches Real-Time Phishing Detection Tool on Microsoft Marketplace appeared first on Cyber Security News.

  • New AI Challenges Will Test CISOs & Their Teams in 2025
    by Josh Lemos on January 9, 2025 at 3:00 pm

    CISOs need to recognize the new threats AI can present — while also embracing AI-powered solutions to stay ahead of those threats.

Latest Posts

Categories

Tags

AI AWS ChatGPT Credit Card Fraud Cybercriminals Cyber News Cyber Security Cybersecurity News Data Breach Digital Transformation Gen AI IoT Nation-State Ransomware Security Skimmer Malware Starbucks