Representative offices: 

Request callback
btn

Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack

News

Ukrainian organizations have repeatedly fallen victim to Russian-sponsored cyberattacks. In early 2022, a set of malicious programs called WhisperGatewas launched against a number of government agencies. On February 23 of the same year, Ukraine was threatened by a new Wiper threat called DriveSlayerwhich was disguised as a ransomware program - PartyTicket. But such actions by criminals could not go unanswered.

Between February 27 and March 1, 2022, Docker Engine honeypots were observed to have been compromised in order to execute two different Docker images targeting Russian and Belarusian websites in a denial-of-service (DoS) attack. Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). The UIA previously called its members to perform distributed denial-of-service (DDoS) attacks against Russian targets. There may be risk of retaliatory activity by threat actors supporting the Russian Federation, against organizations being leveraged to unwittingly conduct disruptive attacks against government, military and civilian websites.

Initial Compromise via Exposed Docker Engine

The honeypot was compromised via an exposed Docker Engine API, a technique that is commonly used by opportunistic campaigns such asLemonDuck or WatchDogto infect misconfigured container engines.

Technical Analysis

The first Docker image that was observed — called abagayev/stop-russia — is hosted on Docker Hub. This image has been downloaded over 100,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. The Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash

6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453

that uses HTTP-based requests to stress-test a website. In this case, this tool was abused as a DoS tool that starts automatically when a new container based on the Docker image is created. Upon starting, the target-selection routine picks a random entry from a hard-coded target list. Later versions of this Docker image alternatively pick one of the first 24 entries of the target list, based on the current hour.


Figure 1. Excerpt of targeted websites

The deployed image was updated once on March 1, 2022. The most significant difference between the two versions of this image is that the target list was expanded. The target list contains Russian websites from the following sectors: government, military, media, finance, energy, retail, mining, manufacturing, chemicals, production, technology, advertisements, agriculture, transportation and political parties. Also on March 1, 2022, Belarusian websites from the media, retail, government and military sectors were added to the target list. CrowdStrike Intelligence assesses the activity deploying this Docker image as very likely automated based on closely overlapping timelines in the interaction with the Docker API. This assessment is made with moderate confidence, based on three separate incidents showing analogous timelines.

The second Docker image is named erikmnkl/stoppropaganda. This image has been downloaded over 50,000 timesfrom Docker Hub. Again, the portion of these downloads that originated from compromised machines is unknown. The image contains a custom Go-based DoS program named stoppropaganda that has the following SHA256 hash

3f954dd92c4d0bc682bd8f478eb04331f67cd750e8675fc8c417f962cc0fb31f

that sends HTTP GET requests to a list of target websites that overloads them with requests. The attack focused on Russian and Belarusian websites in the same sectors: government, military, energy, mining, retail, media and finance. Furthermore, three Lithuanian media websites fell victim to the attack.


Figure 2. Excerpt of targeted websites

CrowdStrike Detection

Platform CrowdStrike Falcon platform protects its customers with its runtime protection and cloud machine learning models from any post-exploitation activities. As can be seen in Figure 3, the malicious DoS process from the erikmnkl/stoppropaganda image gets terminated by Falcon’s cloud-based machine learning model, when running the Docker container on a host with the Falcon Sensor for Linux).


Figure 3. CrowdStrike’s cloud-based machine learning model kills the malicious process

Assessment

Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites.

Indicators of Compromise (IOCs)

Image NameImage Digest
abagayev/stop-russiaaf39263fe21815e776842c220e010433f48647f850288b5fe749db3d7783bcb0
abagayev/stop-russiaf190731012d3766c05ef8153309602dea29c93be596dcde506e3047e9ded5eae
erikmnkl/stoppropagandaaacbb56f72616bbb82720cb897b6a07168a3a021dd524782ee759bbec3439fda

FilenameSHA256 Hash
bombardier6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453
stoppropaganda3f954dd92c4d0bc682bd8f478eb04331f67cd750e8675fc8c417f962cc0fb

Snort

The following Snort rule can be used to detect HTTP requests sent by erikmnkl/stoppropaganda:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "Detects DoS HTTP request sent by erikmnkl/stoppropaganda tool"; flow:to_server, established; content:"Mozilla/5.0 (Windows NT 10.0|3B| Win64|3B| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36"; http_header; content:"GET"; http_method; classtype:trojan-activity; metadata:service http; sid:8001951; rev:20220420;)


iIT Distribution is the official distributor of CrowdStrike solutions
in the territories of Ukraine, Kazakhstan, Georgia and Uzbekistan. At this difficult time, we strongly recommend that you take care of reliable cybersecurity. And we will help in the selection of the optimal protection solution and provide support at all stages of its implementation.

Back

Mobile Marketing
+