Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Jen Miller-Osborn: So, the researchers initially found this because they were specifically looking for repositories which were mimicking legitimate repository names.
Dave Bittner: That's Jen Miller-Osborn. She's Deputy Director of Threat Intelligence with Palo Alto Networks Unit 42. The research we're discussing today is titled, "Attackers Cryptojacking Docker Images to Mine for Monero."
Jen Miller-Osborn: So, the account particularly that they found, you'll note that it begins with "azure," and then it had "nql" appended to it, and then a random string of numbers. So that was what initially kind of tipped off the researchers that there might be something worth looking at here, because it wasn't a legitimate actual image, but it was definitely trying to pretend that it was one. And then when they actually pulled them down and ran them, they realized that they were installing coinmining software on the systems that they were installed on. So, it was a cryptojacking attack, and they were just – their goal was to trick users into thinking these were legitimate images. So when they downloaded them and ran them, they actually run the way they're supposed to, and nothing happens to let a user know that cryptomining software has been installed, right? It doesn't spike the CPU usage, it doesn't do anything in front of you. So as far as someone who had downloaded it would be concerned, this would seem to work perfectly fine. There's no indication that there's something malicious going on. And it looks like they were pretty successful because we were able to see that the images have been downloaded over two million times.
Dave Bittner: Wow.
Jen Miller-Osborn: So, they fooled a lot of people.
Dave Bittner: Well, let's back up here and go over some of the basics together, for folks who might not be up on some of the specifics. Can you describe to us exactly how Docker works and sort of the backstory of the ecosystem here, that these folks inserted themselves into?
Jen Miller-Osborn: Sure. So, Docker is a very popular kind of cloud container service. And one of the reasons it's become so popular is because there's a component called "Docker Hub," which has a very strong kind of community surrounding it. So, it's very common for people to host other images and repositories to Docker Hub for people to pull down if they've already created ones for specific use cases and things like that. What attackers are doing is they're taking advantage of that community-based model where people have traditionally been posting things to help other people. Well, now you have attackers inserting themselves into that and they're posting things that appear to be helpful, but in fact are actually installing cryptomining software.
Dave Bittner: So, a legitimate use case of this would be, for example, if I were putting together some sort of bit of software, I could go to Docker Hub and look for a component that might help me along the way, something that would have some sort of functionality that would help with the thing that I'm trying to do.
Jen Miller-Osborn: Mm-hmm. Yep.
Dave Bittner: And so, the bad guys, in this particular case, what were they trying to disguise their containers as?
Jen Miller-Osborn: So, they were trying to mimic Azure, was their goal. And what people downloaded actually appeared to be a legitimate installation. The only difference, the only real change the actors made to this was they added cryptojacking software, and they took one extra step when they did that of also having Tor installed along with this. So, they came up with the rather clever way of hiding the C2 on the backend, because one of the typical ways this would be detected would be the C2 comms back and forth. But because the attackers for this chose to route that back through Tor, that breaks that kind of typical detection pattern that a lot of people tend to have in place for things like this.
Dave Bittner: Hmm. Well, let's walk through it together. So, suppose that I'm someone who was looking for a component like this, and one of these caught my eye and I go ahead and download it. What happens next?
Jen Miller-Osborn: So, while you're downloading it and it's installing what appears to be what you wanted in the background, what the program is doing is, it's installing Tor as well as the coinmining software. So, you're getting what you wanted, but you're getting some malware along with it. And unfortunately, they also were a little bit more clever in hiding the comms, so by installing Tor and using that, it breaks a lot of detection that you would typically see. So now you're relying on there being something on the host itself that could detect the behavior of the coinminer that's not reliant upon in any way being able to see the kind of the C2 communication.
Dave Bittner: I see. And the installation of these extra components – of the Tor components and then also the cryptominer – these would go undetected?
Jen Miller-Osborn: Mm-hmm. Depending on what sort of protection you're running, if you don't have something that's specifically with these running on, like, an endpoint, it's likely to go undetected, especially because if you're running things largely only at the firewall level, that can – that's what they're using Tor for to kind of get around, is to get things through a firewall that way, to hide it. Because, while in some cases organizations do block Tor and that would break this, in a lot of cases, there's a lot of legitimate uses for Tor, so it's allowed through. But one of the components of that means that there's no visibility into what the actual contents of the traffic are. So, it's kind of a sneaky little way that the authors got around that, which was interesting.
Dave Bittner: Yeah, it's also interesting to me that you mentioned that they had a little bit of restraint when it came to their cryptomining components as well. You know, I think often when we think about cryptomining, you think, you know, you get infected with something and the first thing that happens is all your fans start spinning at maximum speed as your processors are pegged. But they were a little more careful than that.
Jen Miller-Osborn: Mm-hmm, yep. They made sure that that was not going to happen and they weren't taking up an excess amount of resources. So they could – conceptually, they could just sit there forever, or until they're actually caught and kicked out, and they'd been successful. One of the wallets that we were able to identify as being associated with this had about thirty-six thousand dollars worth of Bitcoin in it. And that's only one of the wallets we were able to figure out how much money was in it. So, this potentially had been very lucrative for them, and all they had to do was just create this malicious image, post it to Docker Hub, and basically sit back and profit. (Laughs) That's about as complicated as this is.
Dave Bittner: Right. Well, but as you say, I mean, the functionality that people were looking for, that's built into it as well. So these are functioning the way that you think they should. You're just not aware that in the background there's this mining going on.
Jen Miller-Osborn: Yep. And in a lot of cases, people just kind of – they don't really view it as a problem because nothing traditionally malicious is actually happening. You know, they're able to use their computer. None of the resources are spiking. There's nothing being exfiltrated, there's nothing actually being damaged. So, it's sort of – people tend to not pay as much attention to it. But the problem with this is, while this isn't doing any damage, it's still something that you didn't know and/or didn't want installed. And that just highlights a security hole, because if that's there, and this is relatively benign, what else could potentially also get into the system through a similar kind of security hole? Like, in this case, you were lucky and it was a coinminer. Next time you might not be lucky and it could be ransomware.
Dave Bittner: Right.
Jen Miller-Osborn: So, it's definitely something that people should pay attention to.
Dave Bittner: And you all reached out to the folks who run the Docker Hub, and they've been quite responsive.
Jen Miller-Osborn: Yep, they're absolutely great to work with. You know, it's they're in a difficult position as well. So they are super responsive when you bring anything to their attention to take things like this down.
Dave Bittner: So, what are ways that folks can detect this sort of thing?
Jen Miller-Osborn: It's – honestly, it's relatively difficult. You need to have some sort of good threat signatures at a, say, a firewall or a next-generation firewall, and then outside of that, you need to be running something that can look inside cloud containers, basically, and check them for malware or malicious behavior.
Jen Miller-Osborn: Now, with everyone and kind of at home and everything shifting exclusively online, you know, that means that all different types of criminals are also going to shift in that direction looking for ways to make money. And this is one way where it was relatively simple and they were able to make quite a bit of money.
Dave Bittner: Our thanks to Jen Miller-Osborn from Palo Alto Networks Unit 42 for joining us. The research we discussed was titled, "Attackers Cryptojacking Docker Images to Mine for Monero." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.