#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Docker | Breaking Cybersecurity News | The Hacker News

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Complete Takeover

Apr 29, 2024 Sandbox / Vulnerability
Multiple critical security flaws have been disclosed in the Judge0 open-source online code execution system that could be exploited to obtain code execution on the target system. The three flaws, all critical in nature, allow an "adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine," Australian cybersecurity firm Tanto Security said in a report published today. Judge0 (pronounced "judge zero") is  described  by its maintainers as a "robust, scalable, and open-source online code execution system" that can be used to build applications that require online code execution features such as candidate assessment, e-learning, and online code editors and IDEs. According to its website, the service is used by 23 customers like AlgoDaily, CodeChum, and PYnative, among others. The project has been  forked 412 times on GitHub  to date. The flaws, discovered and reported by Daniel Cooper in March 2024, are l
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Apr 26, 2024 Supply Chain Attack / Software Security
Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances. The 18 flaws  impact  all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them. The issues range from incorrect firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely breach the device. Some of the most severe flaws are listed below - CVE-2024-2859  (CVSS score: 8.8) - A vulnerability that could allow an unauthenticated, remote attacker to log in to an affected device using the root account and execute arbitrary commands CVE-2024-29960  (CVSS score: 7.5) - The use of hard-coded SSH keys in the OVA image, which could be exploited by an attacker to decrypt the SSH traffic to the SANnav applianc
Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Feb 01, 2024 Cryptojacking / Linux Security
Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called  Commando Cat . "The campaign deploys a benign container generated using the  Commando project ," Cado security researchers Nate Bill and Matt Muir  said  in a new report published today. "The attacker  escapes this container  and runs multiple payloads on the Docker host." The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on  another activity cluster  that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software. Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider
cyber security

Protecting Your Organization From Insider Threats - All You Need to Know

websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.
SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike

SHQ Response Platform and Risk Centre to Enable Management and Analysts Alike

May 13, 2024Threat Detection / SoC / SIEM
In the last decade, there has been a growing disconnect between front-line analysts and senior management in IT and Cybersecurity. Well-documented challenges facing modern analysts revolve around a high volume of alerts, false positives, poor visibility of technical environments, and analysts spending too much time on manual tasks. The Impact of Alert Fatigue and False Positives  Analysts are overwhelmed with alerts. The knock-on effect of this is that fatigued analysts are at risk of missing key details in incidents, and often conduct time-consuming triaging tasks manually only to end up copying and pasting a generic closing comment into a false positive alert.  It is likely that there will always be false positives. And many would argue that a false positive is better than a false negative. But for proactive actions to be made, we must move closer to the heart of an incident. That requires diving into how analysts conduct the triage and investigation process. SHQ Response Platfo
RunC Flaws Enable Container Escapes, Granting Attackers Host Access

RunC Flaws Enable Container Escapes, Granting Attackers Host Access

Jan 31, 2024 Software Security / Linux
Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks. The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed  Leaky Vessels  by cybersecurity vendor Snyk. "These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges," the company  said  in a report shared with The Hacker News. runC  is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later  spun out  into a separate open-source library in 2015. A brief description of each of the flaws is below - CVE-202
New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic

New Docker Malware Steals CPU for Crypto & Drives Fake Website Traffic

Jan 18, 2024 Server Security / Cryptocurrency
Vulnerable Docker services are being targeted by a novel campaign in which the threat actors are deploying XMRig cryptocurrency miner as well as the 9Hits Viewer software as part of a multi-pronged monetization strategy. "This is the first documented case of malware deploying the 9Hits application as a payload," cloud security firm Cado said , adding the development is a sign that adversaries are always on the lookout for diversifying their strategies to make money off compromised hosts. 9Hits advertises itself as a "unique web traffic solution" and an "automatic traffic exchange" that allows members of the service to drive traffic to their sites in exchange for purchasing credits. This is accomplished by means of a software called 9Hits Viewer, which runs a headless Chrome browser instance to visit websites requested by other members, for which they earn credits to pay for generating traffic to their sites. The exact method used to spread the malwa
TeamTNT's Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign

TeamTNT's Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign

Jul 13, 2023 Cloud Security / Cryptocurrency
As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called  Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag  said  in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company  detailed  an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell script
Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining

Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining

Apr 21, 2023 Kubernetes / Cryptocurrency
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control ( RBAC ) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. The Israeli company, which dubbed the attack  RBAC Buster , said it found 60 exposed K8s clusters that have been exploited by the threat actor behind this campaign. The attack chain commenced with the attacker gaining initial access via a misconfigured API server, followed by checking for evidence of competing miner malware on the compromised server, and then using RBAC to set up persistence. "The attacker created a new ClusterRole with near admin-level privileges," the company said. "Next, the attacker created a 'ServiceAccount', 'kube-controller' in the 'kube-system' namespace. Las
Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL

Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL

Jan 09, 2023 Kubernetes / Cryptojacking
The threat actors behind the  Kinsing  cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud,  said  in a report last week. Kinsing has a  storied history  of targeting  containerized environments , often leveraging misconfigured open Docker daemon API ports as well as abusing newly disclosed exploits to drop cryptocurrency mining software. The threat actor, in the past, has also been discovered  employing a rootkit  to hide its presence, in addition to terminating and uninstalling competing resource-intensive services and processes. Now according to Microsoft, misconfigurations in  PostgreSQL servers  have been co-opted by the Kinsing actor to gain an initial foothold, with the company observing a "large amount of clusters" infe
New Docker Container Escape Bug Affects Microsoft Azure Functions

New Docker Container Escape Bug Affects Microsoft Azure Functions

Jan 27, 2021
Cybersecurity researcher Paul Litvak today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them. The findings come as part of Intezer Lab 's investigations into the Azure compute infrastructure. Following disclosure to Microsoft, the Windows maker is said to have "determined that the vulnerability has no security impact on Function users, since the host itself is still protected by another defense boundary against the elevated position we reached in the container host." Azure Functions , analogous to Amazon AWS Lambda, is a serverless solution that allows users to run event-triggered code without having to provision or manage infrastructure explicitly while simultaneously making it possible to scale and allocate compute and resources based on demand. By incorporating Docker into the mix, it makes it possible for developers to easily deploy and
Cybercriminals Are Using Legit Cloud Monitoring Tools As Backdoor

Cybercriminals Are Using Legit Cloud Monitoring Tools As Backdoor

Sep 09, 2020
A cybercrime group that has previously struck Docker and Kubernetes cloud environments has evolved to repurpose genuine cloud monitoring tools as a backdoor to carry out malicious attacks, according to new research. "To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure," Israeli cybersecurity firm Intezer said in a Tuesday analysis. Using software called Weave Scope , which is used as a visualization and monitoring tool for Docker and Kubernetes services, the TeamTNT threat actor not only mapped the cloud environment of their victims but also executed system commands without having to deploy malicious code on the target server explicitly. TeamTNT has been active at least since late April this year, directing their attacks on misconfigured Docker ports to install a cryptocurrency mining malware and a Distributed Denial-of-Service (DDoS) bot. Then last month , the crypto-mining gan
Undetectable Linux Malware Targeting Docker Servers With Exposed APIs

Undetectable Linux Malware Targeting Docker Servers With Exposed APIs

Jul 28, 2020
Cybersecurity researchers today uncovered a completely undetectable Linux malware that exploits undocumented techniques to stay under the radar and targets publicly accessible Docker servers hosted with popular cloud platforms, including AWS, Azure, and Alibaba Cloud. Docker is a popular platform-as-a-service (PaaS) solution for Linux and Windows designed to make it easier for developers to create, test, and run their applications in a loosely isolated environment called a container. According to the latest research Intezer shared with The Hacker News, an ongoing Ngrok mining botnet campaign scanning the Internet for misconfigured Docker API endpoints and has already infected many vulnerable servers with new malware. While the Ngrok mining botnet is active for the past two years, the new campaign is primarily focused on taking control over misconfigured Docker servers and exploiting them to set up malicious containers with cryptominers running on the victims' infrastructu
Docker Images Containing Cryptojacking Malware Distributed via Docker Hub

Docker Images Containing Cryptojacking Malware Distributed via Docker Hub

Jun 25, 2020
With Docker gaining popularity as a service to package and deploy software applications, malicious actors are taking advantage of the opportunity to target exposed API endpoints and craft malware-infested images to facilitate distributed denial-of-service (DDoS) attacks and mine cryptocurrencies. According to a report published by Palo Alto Networks' Unit 42 threat intelligence team, the purpose of these Docker images is to generate funds by deploying a cryptocurrency miner using Docker containers and leveraging the Docker Hub repository to distribute these images. "Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate," Unit 42 researchers said . "This, combined with coin mining, makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly starts using its compute resources towards cryptojacking." Docker is a well-known platform-as-a-servic
Docker Hub Suffers a Data Breach, Asks Users to Reset Password

Docker Hub Suffers a Data Breach, Asks Users to Reset Password

Apr 27, 2019
Docker Hub, one of the largest cloud-based library of Docker container images, has suffered a data breach after an unknown attacker gained access to the company's single Hub database. Docker Hub is an online repository service where users and partners can create, test, store and distribute Docker container images, both publicly and privately. The breach reportedly exposed sensitive information for nearly 190,000 Hub users (that's less than 5 percent of total users), including usernames and hashed passwords for a small percentage of the affected users, as well as Github and Bitbucket tokens for Docker repositories. Docker Hub started notifying affected users via emails informing them about the security incident and asking them to change their passwords for Docker Hub, as well as any online account using the same password. "On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon
RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

Feb 12, 2019
A serious security vulnerability has been discovered in the core runC container code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorized, root-level access to the host operating system. The vulnerability, identified as  CVE-2019-5736 , was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday. The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel. Originally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers. runC Containe
Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers

Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers

May 03, 2018
Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers. Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers using a low-level container management API in Hyper-V. Discovered by Swiss developer and security researcher Michael Hanselmann , the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image. This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host. As Hanselmann explained  in his personal blog, "Importing a Docker container image or
New Release: Kali Linux for Docker — Deploy and Play!

New Release: Kali Linux for Docker — Deploy and Play!

May 27, 2015
The Developers of one of the most advanced open source operating system for penetration testing called ' KALI Linux ' have made the operating system available for Docker-addicted system administrators. But, What's Docker? Docker is a new open-source container technology, released in June 2014, that automates the deployment of applications inside self-sufficient software containers by providing an additional layer of abstraction and automation of operating-system-level visualization on Linux. Docker, built on top of Linux containers, is simply a way of managing multiple containers on a single machine. Nowadays, companies are adopting Docker at a remarkable rate. Docker is not just the favorite of Linux powers like RedHat and Canonical, but also big software firms, including Microsoft, which has embraced Docker. Why bringing Kali Linux for Docker? The same was happened to the developer of Offensive Security, who was requested for a Dockerised image of
Cybersecurity
Expert Insights
Cybersecurity Resources