The Docker threat landscape underwent relevant developments; while new vulnerabilities were discovered, an unknown threat actor has been observing abusing Docker containers in order to deploy a number of payloads. The latter has been dubbed "Commando Cat."
On January 31, 2024, Snyk reported a set of vulnerabilities - cumulatively dubbed "Leaky Vessels" - impacting the runC utility which is used to deploy and operate containers in Linux. The vulnerabilities may enable a potential attacker to bypass the container and gain unauthorized access to the underlying host with subsequent data compromise.
The vulnerabilities include:
CVE-2024-21626 (CVSS score: 8.6) - runC process.cwd and leaked fds container breakout.
CVE-2024-23651 (CVSS score: 8.7) - Build-time race condition container breakout.
CVE-2024-23652 (CVSS score: 10.0) - Buildkit Build-time Container Teardown Arbitrary Delete.
CVE-2024-23653 (CVSS score: 9.8) - GRPC security mode privilege check: Build-time container breakout.
Patched runC versions have been released for Google Cloud Platform (GCP), Ubuntu, Amazon Web Services (AWS). Docker released a new version of buildkit and moby. Similarly, a new containerd version that addresses the issues was released on January 31, 2024.
Regarding "Commando Cat" (from the pull command - "cmd[.]cat/chattr" - performed during the attack chain), the threat was discovered by Cado, and reported in an advisory published on February 1, 2024. The malware targets internet-exposed Docker API instances. The originating IP address observed in attacks in the wild is 45[.]9[.]148[.]193 - consistent with infrastructure hosted in the Netherlands.
Commando Cat has been observed performing cryptomining activities and installing an information stealer which targets cloud service credentials, namely AWS, GCP, Azure.