Researchers from cybersecurity vendor CrowdStrike have detected a denial-of-service (DoS) assault compromising Docker Engine honeypots to focus on Russian and Belarusian web sites amid the continued Russia-Ukraine conflict. In response to the agency, the honeypots have been compromised 4 occasions between February 27 and March 1, 2022, with two totally different Docker photos that each share goal lists that overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Military.
CrowdStrike has subsequently linked the assaults to pro-Ukrainian exercise in opposition to Russia. It has additionally warned of the chance of retaliatory exercise by risk actors supporting the Russian Federation in opposition to organizations being leveraged to conduct disruptive assaults in opposition to authorities, navy, and civilian web sites.
Honeypots compromised through uncovered Docker Engine API
The honeypots have been compromised through an uncovered Docker Engine API in a way generally utilized by opportunistic campaigns comparable to LemonDuck or WatchDog to contaminate misconfigured container engines, CrowdStrike said in a weblog posting. The primary Docker picture used within the assault was noticed in three out of the 4 incidents and is hosted on Docker Hub.
“This picture has been downloaded over100,000 occasions, however CrowdStrike Intelligence can’t assess what number of of those downloads originate from compromised infrastructure. The Docker picture comprises a Go-based HTTP benchmarking instrument named bombardier…that makes use of HTTP-based requests to stress-test a web site,” the seller added.
Focused web sites embody these within the authorities, navy, media, and retail sectors in each Russia and Belarus. “CrowdStrike Intelligence assesses the exercise deploying this Docker picture as very seemingly automated based mostly on intently overlapping timelines within the interplay with the Docker API,” CrowdStrike mentioned.
The second Docker picture used within the assault has been downloaded over 50,000 occasions from DockerHub, CrowdStrike continued. “The picture comprises a customized Go-based DoS program named stoppropaganda…that sends HTTP GET requests to an inventory of goal web sites that overloads them with requests. Once more, the assault targeted on web sites of the Russian and Belarusian media, authorities, navy, vitality, mining, and finance sectors.”
Copyright © 2022 IDG Communications, Inc.
