Technology Encyclopedia Home >How are Docker containers exploited by mining trojans?

How are Docker containers exploited by mining trojans?

Created on 2025-07-01 18:22:28
45

Docker containers can be exploited by mining trojans through several common attack vectors, primarily due to misconfigurations or vulnerabilities in the container environment. Here’s how it happens, along with examples:

  1. Exposed Docker API: If the Docker daemon's API is exposed to the internet without authentication, attackers can remotely control the host to spin up malicious containers. For example, an attacker might use curl to send a POST request to the API endpoint (tcp://<host>:2375/containers/create) to deploy a container running a cryptocurrency miner like XMRig.

  2. Weak or Default Credentials: If Docker Swarm or Kubernetes (which uses Docker under the hood) has default or weak credentials, attackers can gain access to the cluster and deploy mining pods. For instance, an unsecured Redis instance inside a container might allow attackers to execute commands via redis-cli, leading to container escape and miner deployment.

  3. Image Vulnerabilities: Attackers often abuse public Docker images with backdoors or malicious code. For example, a compromised image on Docker Hub might include a script that downloads and runs a miner in the background. Users pulling such images unknowingly infect their containers.

  4. Privileged Containers: Running containers with --privileged flag grants them host-level access, allowing escape into the host system. A trojan could exploit this to install miners directly on the host. Example: A container with --privileged and --cap-add=SYS_ADMIN can modify host files and spawn new processes.

  5. Resource Abuse: Even if a container isn’t fully compromised, attackers might exploit weak resource limits (e.g., no CPU/memory restrictions) to run miners that consume excessive resources. For example, a container without --cpus or --memory limits could silently mine Monero.

Mitigation with Tencent Cloud Services:

  • Use Tencent Cloud Container Security Service to scan images for vulnerabilities.
  • Enable Tencent Cloud TKE (Tencent Kubernetes Engine) with RBAC and network policies to restrict access.
  • Deploy Tencent Cloud Host Security to detect abnormal processes like miners.
  • Configure Tencent Cloud VPC Network ACLs to limit API exposure.
  • Use Tencent Cloud TCR (Tencent Container Registry) for private, secure image storage.

Example: A user deploys a container via Tencent Cloud TKE with resource limits (--cpu=1 --memory=1G) and enables TKE’s network policies to block unauthorized API calls, reducing the risk of mining trojan attacks.