Cryptomining Malware Moves into Software Containers

Image for post
Image for post

Security researchers at Palo Alto Networks have discovered the Graboid worm that spreads through Docker software containers and mines Monero cryptocurrency for the attackers. This is a new tactic and territory for crypto-mining worms. It is the first time such malware has been detected traversing software containers.

Once a core image repository is infected, anytime the image is pulled and used, the malware goes with it and is spawned to maliciously consume resources for crypto-mining. Traditional security software rarely looks inside containers, so these instances can be active for as long as the container is in use.

Security recommendations:

1. Make sure the docker engine is not exposed to the internet without proper authentication controls

2. Use whitelisting where possible to identify and limit allowable incoming traffic sources

3. Tenaciously protect the software repositories from tampering or infection

4. Only pull images from trusted repositories

5. Setup monitoring of images and repositories to detect if they have been modified or acting in unauthorized ways

Written by

Cybersecurity Strategist and CISO specializing in the evolution of threats, opportunities, and risks in pursuit of optimal security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store