Who’s Attacking My Containers?

Chris Hall
Cloud Security Researcher, Lacework Labs

If you’re concerned about the security of your cloud resources then you may have asked yourself: “Who’s attacking my containers?” This blog will attempt to answer that question. As described in the kill chain model, the first phase of any attack is reconnaissance. This entails some form of information gathering about the target and usually involves service port and or vulnerability scanning. 

For cloud resources, this would include scanning for Docker and/or Kubernetes. Enter GreyNoise. In our last blog we described how we used GreyNoise to provide context on cloud servers from the H2miner botnet.

For this blog, we leveraged GreyNoise to identify suspicious hosts that were specifically scanning for containers.

Figure 1. GreyNoise tag searches

The first step was to identify the appropriate tags which included:

• Docker Scanner
• Dockerd Scanner
• Kubernetes Crawler

These inputs returned over 14K hosts from GreyNoise. Ranking of all the tags from the outputs allowed for additional insight. For example, the scanning application of choice was revealed with the tag “ZMap client.” ZMap is an open-source security scanner that was developed as an Nmap alternative. Several tags relating to web scanning were also observed such as “Web Scanning,” “HTTP Alt Scanner,” and Web Crawler,” and may have been a precursor to web app exploitation attempts. 

Figure 2. GreyNoise tag rankings

The 2nd most common tag was for Redis Scanner indicating a probable exploitation vector. Redis was similarly seen in our last blog as the vector used in the H2miner botnet propagation. This is probably due to its popularity as well as many associated vulnerabilities. Furthermore, no-auth Redis instances are easily discovered as illustrated with the following Shodan query which returned around 11K hosts:

product:”Redis key-value store”

Figure 3. No-auth Redis instances in Shodan

Shodan also lists connected clients in their key-value store. Using the API, we extracted all these IPs from the cloud scanning hosts with no-auth Redis instances.

Figure 4. No-auth Redis Search details

The following table shows the top IPs for the Redis connected clients. Interestingly, some of the hosts are from legitimate scanners, however, they’re observed connecting to multiple instances.

After filtering benign hosts, we’re left with 11,459 out 14,448. Sorting by ASN and organization gives us the chart in Figure 6. The top ASN is for Alibaba/Aliyun computing which appears to be a common source for a lot of scanning activity. Furthermore, the ASN breakdown is also consistent with the Shodan hits and the no-auth Redis instances in general. 

Figure 6. ASNs Cloud scanning hosts

To summarize, Redis appears to be the low hanging fruit that many are taking advantage of. And since many cloud servers use Redis, these are being exploited and subsequently leveraged for additional scanning. This was the likely same tactic used in the H2miner botnet’s self-propagation detailed in our last blog. It’s safe to say that any Redis misconfiguration will likely be exploited in short order. For an example of a Redis exploit in the wild, refer to our “Anatomy of a Redis Exploit” blog from 2018.

Past activity indicates financial motivation with the deployment of cryptomining malware, however, any sensitive data in your Redis database will likely be stolen and distributed if accessed by a bad actor. Fortunately, many cloud security products such as the Lacework agent can reduce your exposure with active monitoring.  

If you found this blog useful then please share on your social media!

Photo via GreyNoise Intelligence