Attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed denial-of-service (DDoS) attacks, according to a warning from researchers at the AhnLab Security Emergency Response Center.
According to AhnLab, attacks targeting MySQL on Windows have increased in frequency with vulnerable MySQL servers infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been around since at least 2016.
Malicious attackers, AhnLab warns, scan the internet for publicly-accessible MySQL servers using the TCP port 3306, and then attempt to compromise them either using weak credentials or exploiting known vulnerabilities.
The attackers then upload a malicious DLL as a UDF (User-Defined Function) library, which allows them to execute commands on the infected system and to deploy and execute the Ddostf malware.
Targeting both Linux and Windows environments, Ddostf achieves persistence and then collects system information and sends it to the command-and-control (C&C) server. It then waits for commands to launch DDoS attacks such as SYN, UDP, and HTTP GET/POST floods.
“Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” AhnLab explained.
The malware appears to be designed solely for launching DDoS attacks and the researchers believe the threat actor is operating a DDoS-for-hire service.
OracleIV DDoS-capable malware
Separately, Cado Security is warning in a new report that Docker hosts are being targeted with the OracleIV DDoS-capable malware, via the Docker Engine API, an HTTP API served by Docker Engine.
Attackers are scanning for publicly-exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.
According to Cado, the accidentally exposed Docker Engine API instances have been a popular target for attackers in recent years, especially for deploying cryptocurrency miners. “Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further,” the company said.
Cado said it observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it. The malicious Docker image, Cado says, has over 3,000 pulls and appears to be updated regularly.
Baked within the image, OracleIV supports commands for UDP, UDP_PPS, SSL, SYN, HTTP/GET, and SLOW flood attacks, although some of the functions are not working.