The malicious scripts are being developed to steal more sensitive data such as credentials. The malware, which installs Monero cryptominers on the infected systems, has been actively targeting Docker installations since April, according to Trend Micro. Furthermore, Oliveira says TeamTNT has now added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.
Register new task definition, now referring to Docker images tagged with current Git revisions. In this way you can still use the “rolling update” deployment type, and ECS will simply spin up new instances and drain the old ones with no downtime of your service if everything is OK. The bad side is you lose fine control on the deployment and you cannot roll back to previous version if there is an error and this will break the ongoing service. If the image pull fails, then the container uses the cached image on the instance. Secure CI/CD pipelines — Protect from any unauthorized access to source code repos or build tools. Compared to the Deployment definition from aws-service-operator/configs/aws-service-operator.yaml, this adds the http_proxy and no_proxy environment variables.
This botnet uses already infected servers to execute an open-source masscan IP port scanner instance that scans for exposed Docker APIs , installing itself in new containers on any misconfigured servers it finds. In order to not incur downtime when creating a new deployment you can either 1) Provision enough instances to deploy the new version alongside the old version. You can avoid allocating extra resources by setting the service’s “minimum healthy percent” parameter to 0 to allow ECS to remove your old service before deploying the new one. If your task is running under a service you can force a new deployment.
Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. You can set ECR as a source, and ECS as a target botnet is stealing docker to deploy to. After deployment is finished, re-scale number of tasks to 1. See the Prometheus documentationfor more information on how to get up and running with Prometheus.