OracleIV DDoS Botnet Alert: Secure Your Docker Engine APIs
Attention Docker users: a new threat known as OracleIV is on the rise, targeting publicly accessible Docker Engine API instances. Researchers from Cado have uncovered a campaign where attackers exploit misconfigurations to turn machines into a distributed denial-of-service (DDoS) botnet.
DDoS Botnet Attack Details
The attackers use an HTTP POST request to Docker’s API to fetch a malicious image named ‘oracleiv_latest’ from Docker Hub. This image contains Python malware compiled as an ELF executable. Interestingly, it disguises itself as a MySQL image for Docker and has been downloaded 3,500 times so far. However, the image also includes instructions to fetch an XMRig miner and its configuration from a command-and-control (C&C) server.
Despite the inclusion of a miner, the researchers did not find evidence of cryptocurrency mining by the counterfeit container. Instead, they discovered a concise shell script (oracle.sh) within the image, equipped with functions for conducting DDoS attacks such as slowloris, SYN floods, and UDP floods.
Cloud security experts emphasize the vulnerability of exposed Docker instances, highlighting their increasing use as conduits for cryptojacking campaigns. The simplicity of pulling a malicious image and launching a container from it, especially from Docker Hub, makes these instances an attractive target for threat actors.
It’s not just Docker facing these issues; vulnerable MySQL servers are also under attack. A Chinese-origin DDoS botnet malware named Ddostf targets MySQL servers, allowing threat actors to infect numerous systems and sell DDoS attacks as a service.
Adding to the complexity, new DDoS botnets like hailBot, kiraiBot, and catDDoS have emerged based on the leaked Mirai source code from 2016. Cybersecurity company NSFOCUS warns that these trojan horses introduce new encryption algorithms and employ covert communication methods to hide themselves better.
XorDdos, a Linux-targeting DDoS malware, has also resurfaced in 2023. This malware infects Linux devices, turning them into “zombies” for subsequent DDoS attacks against specific targets.
Palo Alto Networks Unit 42 reports that the OracleIV DDoS botnet campaign began in late July 2023 and peaked around August 12, 2023. To infiltrate devices successfully, the attackers initiated a scanning process using HTTP requests to identify vulnerabilities. Once malware gains access, it turns into a background service, running independently of the current user session to evade detection. Stay vigilant and secure your Docker and MySQL configurations to protect against these evolving threats.
The sources for this article include a story from TheHackerNews.