For the first time in history, researchers have discovered a crypto-jacking worm that spreads via unsecured Docker hosts.
Researchers at Unit 42 said that the new strain of malware has spread to more than 2,000 Docker hosts by using containers in the Docker Engine (Community Edition).
The new worm has been named Graboid after the fictional subterranean sandworms that made a fairly poor show of hunting humans in nineties flick Tremors. Just like its onscreen predecessors, the Graboid is quick but relatively incompetent.
Graboid is designed to work in a randomized way that researchers said holds no obvious benefits. The malware carries out both worm-spreading and crypto-jacking inside containers, picking three targets at each iteration.
Researchers wrote: "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior.
"If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts."
Graboid doesn't hang around for long, mining cryptocurrency Monero for an average of just over four minutes before picking new vulnerable hosts to target. The worm works by gaining an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host.
Researchers warned that Graboid's nip could potentially turn into a powerful bite and advised organizations to safeguard their Docker hosts.
Researchers wrote: "While this crypto-jacking worm doesn’t involve sophisticated tactics, techniques, or procedures, the worm can periodically pull new scripts from the C2s, so it can easily repurpose itself to ransomware or any malware to fully compromise the hosts down the line and shouldn’t be ignored."
Tim Erlin, VP, product management and strategy at Tripwire, advised developers to tackle security sooner rather than later.
He said: "DevOps tends to favor velocity over security, but when you have to stop what you’re doing to address an incident like this, you’re losing the velocity gains you might have experienced by leaving security out of the DevOps lifecycle. Addressing security through incident response is the most expensive method to employ."