Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape

Abusing exposed Docker socket

Tags
K8s
ATT&CK Tactic
Initial Access (TA0001)
Incidents
Kiss-A-Dog campaignOracleIV campaign
Tech
Docker
References
https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket
Last edited
May 19, 2024 9:41 AM
Status
Stub
Defenses
Host Configuration Scanning

In the case of the Kiss-a-Dog campaign, this was the initial access vector. The gap between the exposed socket and the initial payload download is not described, but my guess it is the deployment of malicious container that runs the script upon start.

Exposed docker socket is an extremely bad practice because of the lack of authentication on the socket. As such, any bad actor can accessing the socket can perform the following actions:

  • List running containers
  • Create a container
  • Execute code within the created container
  • Escape to the host from the created container

As such, exposed Docker socket is one trivial hop away from host RCE.

Made with 💙 by Wiz

Last Updated: April 3, 2025