CrowdStrike Intelligence warns organizations that their IT infrastructure could be used to launch cyberattacks without their knowledge, after Docker Engine was compromised to execute distributed denial-of-service (DDoS) attacks on Russian and Belarusian websites.
CrowdStrike said that between February 27 and March 1, 2022, the Docker honeypot, which set up to identify container-based cyberattacks, was compromised by the open API of Docker Engine, a technique commonly used by “opportunistic” attackers to contamination of incorrectly configured container engines.
He added that honeypots had been compromised to run two different Docker images targeting Russian and Belarusian DDoS attack websites, and that those websites overlapped with domains already identified and shared as targets by state-sanctioned IT Army of Ukraine (UIA).
The list of targets includes Russian websites from various sectors, including government, military, media, finance, energy, retail, mining, manufacturing, chemicals, manufacturing, technology, advertising, agriculture and transport, as well as those of political parties.
Belarusian websites from the media, retail, government and military sectors were also targeted, as well as three Lithuanian media websites.
“CrowdStrike Intelligence estimates that these participants almost certainly compromised the copper banks to support pro-Ukrainian DDoS attacks. This assessment was made with a high degree of confidence based on the targeted websites, “the statement said blog post on May 4, 2022, adding that the UIA had previously called on its volunteers to launch DDoS attacks against Russian targets.
“There may be a risk of retaliation from threats supporting the Russian Federation against organizations that are being lured into unknowingly destructive attacks on government, military and civilian websites.
Speaking of Container magazineAdam Myers, senior vice president of intelligence at CrowdStrike, said Russia or Belarus (or groups acting on their behalf) could counterattack to deactivate the IT infrastructure used to attack them, leaving organizations as a concomitant damage to the escalating conflict.
According to the CrowdStrike blog, the first docker image – called abagayev / stop-russia – was hosted on Docker Hub and downloaded more than 100,000 times. “The Docker image contains a Go HTTP-based benchmarking tool called a bombardier with the SHA256 hash 6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453, which uses an HTTP-based request request that uses HTTP.
In this case, he added, the tool was misused to launch DDoS, which starts automatically when a new container based on the Docker image is created, with the target selection routine then selecting a random entry from a hard-coded attack list.
The second Docker image – called erikmnkl / stoppropaganda – was downloaded more than 50,000 times from the Docker Hub and contained a custom DDoS program based on Go that uses a hash that sends HTTP GET requests to a list of target websites, overloading them with requests.
While the two images have been downloaded more than 150,000 times, CrowdStrike said it was unable to estimate how many of those downloads came from compromised infrastructure.
Data published by Check Point Research on February 28, 2022, show a 196% increase in cyberattacks against the government and military sector of Ukraine, as well as a 4% increase in attacks targeting Russian organizations in general.
On March 24, for example, hackers working under the banner of Anonymous claimed to have stolen more than 35,000 sensitive files from Russia’s Central Bank as part of its cyber war against the Russian state, which it declared shortly after Vladimir Putin illegally invaded in Ukraine.