Researchers from cybersecurity vendor CrowdStrike have detected a denial-of-service (DoS) assault compromising Docker Engine honeypots to focus on Russian and Belarusian web sites amid the continued Russia-Ukraine warfare. According to the agency, the honeypots have been compromised 4 occasions between February 27 and March 1, 2022, with two completely different Docker pictures that each share goal lists that overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army.
CrowdStrike has due to this fact linked the assaults to pro-Ukrainian exercise towards Russia. It has additionally warned of the danger of retaliatory exercise by risk actors supporting the Russian Federation towards organizations being leveraged to conduct disruptive assaults towards authorities, army, and civilian web sites.
Honeypots compromised through uncovered Docker Engine API
The honeypots have been compromised through an uncovered Docker Engine API in a method generally utilized by opportunistic campaigns comparable to LemonDuck or WatchDog to contaminate misconfigured container engines, CrowdStrike said in a weblog posting. The first Docker picture used within the assault was noticed in three out of the 4 incidents and is hosted on Docker Hub.
“This image has been downloaded over100,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. The Docker image contains a Go-based HTTP benchmarking tool named bombardier…that uses HTTP-based requests to stress-test a website,” the seller added.
Targeted web sites embrace these within the authorities, army, media, and retail sectors in each Russia and Belarus. “CrowdStrike Intelligence assesses the activity deploying this Docker image as very likely automated based on closely overlapping timelines in the interaction with the Docker API,” CrowdStrike mentioned.
The second Docker picture used within the assault has been downloaded over 50,000 occasions from DockerHub, CrowdStrike continued. “The image contains a custom Go-based DoS program named stoppropaganda…that sends HTTP GET requests to a list of target websites that overloads them with requests. Again, the attack focused on websites of the Russian and Belarusian media, government, military, energy, mining, and finance sectors.”
Copyright © 2022 IDG Communications, Inc.