New Attack Technique Uses Misconfigured Docker API

Time to revise your threat models for containerised services…:

[…] In this case, preliminary threat intel on a malicious container image is useless because the image is not pulled from a remote source. A static scanner will not return the desired results, since the image is built upon a standard Alpine base image and would most probably be marked as benign. A network-level detection/prevention security scanning might actually block the communication with the C2 of the attacker (185[.]10[.]68[.]147) and prevent downloading the script main.sh and the malicious binary.

We believe that the best solution for these kinds of threats lies in an on-going Dynamic Threat Analysis scanning cadence. Dynamically scanning all your images in Docker Hub and on the organization’s servers would shine a bright light on any hidden threats lurking in the cloud.

[…]

Original article here