Researchers Discover Crypto-Jacking Worm Spreading via Unsecured Docker Hosts
For the first time in history, researchers have uncovered a crypto-jacking worm that is spreading through unsecured Docker hosts. This new strain of malware, named Graboid, has already infected over 2,000 Docker hosts by exploiting containers in the Docker Engine (Community Edition).
Graboid: The Incompetent Crypto-Jacking Worm
Named after the fictional subterranean sandworms from the nineties movie Tremors, Graboid is characterized by its quick but relatively incompetent nature. The malware operates in a randomized manner, performing both worm-spreading and crypto-jacking activities within containers. It selects three targets during each iteration – installing the worm on the first, stopping the miner on the second, and starting the miner on the third. This erratic behavior results in a haphazard mining process.
According to researchers, Graboid mines the cryptocurrency Monero for an average of just over four minutes before moving on to infect new vulnerable hosts. It gains initial access through unsecured Docker daemons, where a Docker image is deployed to run on the compromised host.
Warning and Recommendations
While Graboid’s current impact may seem minimal, researchers caution that its capabilities could evolve into a more significant threat. Organizations are advised to secure their Docker hosts to prevent further spread of the worm.
Tim Erlin, VP of product management and strategy at Tripwire, emphasizes the importance of addressing security in the DevOps lifecycle. He warns that incidents like Graboid can disrupt operations and hinder the gains achieved through velocity-focused development practices.
In conclusion, the discovery of Graboid highlights the need for proactive security measures in containerized environments. By prioritizing security early on, organizations can mitigate the risks posed by crypto-jacking worms and other emerging threats.