Tags
K8s
ATT&CK Tactic
Initial Access (TA0001)
Incidents
Kiss-A-Dog campaignOracleIV campaign
Tech
Docker
References
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket
Last edited
May 19, 2024 9:41 AM
Status
Stub
Defenses
Host Configuration Scanning
In the case of the Kiss-a-Dog campaign, this was the initial access vector. The gap between the exposed socket and the initial payload download is not described, but my guess it is the deployment of malicious container that runs the script upon start.
Exposed docker socket is an extremely bad practice because of the lack of authentication on the socket. As such, any bad actor can accessing the socket can perform the following actions:
- List running containers
- Create a container
- Execute code within the created container
- Escape to the host from the created container
As such, exposed Docker socket is one trivial hop away from host RCE.