Cryptojacking worm activity overview provided by Unit 42.
So what is Graboid?
It's a cryptojacking worm that spreads using containers in the Community Edition of the Docker Engine. Because many endpoint protection software tools do not inspect activity inside containers, detection can be difficult.
And what does this mean?
An attacker could gain an initial foothold by targeting unsecured Docker daemons (the service that runs Docker containers), and then installing a Docker image (downloaded through Command and Control (C2) servers) on the compromised host. This is the 'jacking' part.
Once the malware is deployed, it will start mining for Monero crypto currency (like Bitcoin, but different). This is the 'crypto' part.
The malware will occasionally call home through the C2 servers and query for new vulnerable hosts to randomly spread the worm to. This is the Graboid movie reference part.
From the Unit 42 analysis, on average, each miner is active 63% of the time and mines for about 250 seconds at a time. This could help evade detection as it will diffuse the load of mining over time.
The Docker team, working with Unit 42, quickly removed the malicious images after being alerted to their existence.
How do I protect myself?
Never expose a docker daemon to the internet without a proper authentication mechanism. Note that, by default, the Docker Engine (CE) is NOT exposed to the internet.
UseUNIX socketto communicate with Docker daemon locally or useSSHto connect to a remote docker daemon.
Use firewall rules to whitelist the incoming traffic to a small set of sources.
Never pull Docker images from unknown registries or unknown user namespaces.
Frequently check for any unknown containers or images in the system.
Cloud security solutions such as Prisma Cloud or Twistlock can identify malicious containers and prevent cryptojacking activities.