Security researchers have discovered a new cyber-threat called OracleIV [1] [2] [4], which is being delivered through misconfigured Docker containers [3]. This threat exploits a misconfiguration in the Docker Engine API and is capable of conducting various types of attacks, including DDoS attacks [2].
Description
The OracleIV malware is compiled as an ELF executable Python malware and is disguised as a MySQL image. Attackers gain access by sending an HTTP POST request to Docker’s API and retrieve a malicious image from Dockerhub [1] [2] [3]. This image contains a malicious payload named “oracle.sh.” Once executed [3], the malware connects to a Command and Control server (C2) to carry out DDoS attacks [3]. While no mining activity has been observed [4], the malicious container does contain files that could facilitate such actions [1] [2] [4].
Cado Security Labs has reported the presence of these malicious container images to Docker, urging users to remain vigilant and implement network defenses to mitigate the risks associated with misconfigured internet-facing services [2] [4]. It is important to conduct periodic assessments of pulled images from Dockerhub and implement strong network defenses to secure internet-facing services.
Conclusion
The discovery of the OracleIV cyber-threat highlights the ongoing threat of misconfigured Docker Engine API deployments [3]. It is crucial for users to remain vigilant and implement network defenses to mitigate the risks associated with misconfigured internet-facing services [2] [4]. This incident emphasizes the importance of securing internet-facing services and serves as a reminder to regularly assess pulled images from Dockerhub.
References
[1] https://www.infosecurity-magazine.com/news/python-malware-ddos-threat-docker/
[2] https://osintcorp.net/python-malware-poses-ddos-threat-via-docker-api-misconfiguration/
[3] https://www.hackread.com/oracleiv-ddos-botnet-malware-docker-engine-api-instances/
[4] https://ciso2ciso.com/python-malware-poses-ddos-threat-via-docker-api-misconfiguration-source-www-infosecurity-magazine-com/