Security experts have discovered two new botnets that are launched against Docker Servers and are designed to run on Linux systems, they are called XORDDoS and Kaiji. The live attacks have been detected during a large-scale worldwide campaign which is rated as extremely dangerous.
Docker Servers Actively Targeted By The XORDDoS and Kaiji Linux Botnets
Hackers continue to launch devastating attacks against Docker servers, hosting companies and enterprise networks. This is usually done by using email phishing messages that attempt to manipulate employees and users into downloading a virus into a computer network and from there on causing a dangerous widespread infection. The other popular method relies on the use of automated or manually configured hacking tools that are designed to take down or hack into a vulnerable network attack.
The XORDDoS and Kaiji botnets are the latest threats that have been detected by the security community. They are noted for being created specifically for Docker servers which are used in the web hosting industry, industrial facilities and enterprise productivity cloud networks. The Kaiji botnet is an older infection that was used previously in a large IoT devices infections.
On the other hand the XORDDoS botnet is a new infection which has not been known to this moment. The attacks using these two botnets are taking place roughly at the same time which gives us reasons to believe that they may be operated by the same hacking groups or several criminal collectives at once. They are targeting computer networks around the world without regard to a single location or company.
The attacks utilizing these botnets are done by performing brute force attacks that are directed against the target networks. The current configuration scans for weaknesses in three services – Secure Shell, Telnet and Docker. The port being used by Docker is 2375 has been found to use an unencrypted and unauthenticated communications channel.
Capabilities in XORDDoS and Kaiji Botnet: What Do They Do?
There is a notable difference between the mechanism of infection. The XORDDoS botnet will be launched against the networks with the main goal of infecting the Docker server and all contained within containers while Kaiji will deploy its own container containing virus code. Both of them rely on DDoS mechanism of attack—a large number of network packets will be sent to the target networks hosting a receiving server. When the number of network requests is too much it crash and lead to the vulnerability exploitation.
As soon as the XORDDoS botnet is installed on a given computer a command will be triggered to download a remote file which will be the actual virus code. The malware is hidden inside this file using a XOR cipher, the payload decryption mechanism will unpack it onto the the victim machines. This will launch a Trojan module that will establish a connection to a hacker-controlled server allowing the criminals to take over control of the systems. Another malicious action which will be run as part of the infection is the creation of a persistent infection — the threat will reconfigure the system so that the virus will be automatically started and will be made very difficult to remove using manual methods.
The main goal of the botnet is to initiate distributed denial of service attack using the common packet types SYN, ACK and DNS. As part of the malware engine it can also download and update itself. The XORDDoS botnet malware is also responsible for widespread information gathering of the following data:
- Processor Information Report
- Checksums of the Running Processes
- Memory Information
- Network Speed
- IDs of the Running Processes
While the Kaiji botnet follows roughly the same sequence it also differentiates itself by having an expanded set of packets support for the denial-of-service attack: ACK, IPS spoof, SSH, SYN, SYNACK, TCP flood and UDP flood.
The attacks have been found to come from URls and networks that have served previous malware. For this reason it is suspected that the hacking groups are experienced or that the infrastructure is loaned to different hacking groups.