Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach
In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.
Recently we observed a malicious actor targeting Docker remote API servers for cryptomining. Docker is a platform that helps developers build, test, deploy, and share applications. One of Docker's features is its remote API, which allows users to manage containers, images, and volumes remotely. However, this feature also introduces security risks if remote API servers are left misconfigured and exposed to the internet, which could lead to security breaches and exploitation by malicious actors.
In this attack, we observed the malicious actor utilizing gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security solutions and deploy the SRBMiner cryptominer on the Docker host to mine XRP, a cryptocurrency developed by the US-based Ripple Labs.
As shown in the attack chain (Figure 1), the attacker starts the discovery process by checking the Docker API’s availability and version (Figures 2 and 3). The attacker then sends a request for a gRPC/h2c upgrade (Figure 4).
