Security researchers at Palo Alto Networks have discovered the Graboid worm that spreads through Docker software containers and mines Monero cryptocurrency for the attackers. This is a new tactic and territory for crypto-mining worms. It is the first time such malware has been detected traversing software containers.
Once a core image repository is infected, anytime the image is pulled and used, the malware goes with it and is spawned to maliciously consume resources for crypto-mining. Traditional security software rarely looks inside containers, so these instances can be active for as long as the container is in use.
1. Make sure the docker engine is not exposed to the internet without proper authentication controls
2. Use whitelisting where possible to identify and limit allowable incoming traffic sources
3. Tenaciously protect the software repositories from tampering or infection
4. Only pull images from trusted repositories
5. Setup monitoring of images and repositories to detect if they have been modified or acting in unauthorized ways