Security researchers at Palo Alto Networks have discovered the Graboid worm that spreads through Docker software containers and mines Monero cryptocurrency for the attackers. This is a new tactic and territory for crypto-mining worms. It is the first time such malware has been detected traversing software containers.
Once a core image repository is infected, anytime the image is pulled and used, the malware goes with it and is spawned to maliciously consume resources for crypto-mining. Traditional security software rarely looks inside containers, so these instances can be active for as long as the container is in use.
- Make sure the docker engine is not exposed to the internet without proper authentication controls
- Use whitelisting where possible to identify and limit allowable incoming traffic sources
- Tenaciously protect the software repositories from tampering or infection
- Only pull images from trusted repositories
- Setup monitoring of images and repositories to detect if they have been modified or acting in unauthorized ways