Hello, welcome to the Wednesday, December 2, 2020 edition of the Santernut Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Cisco's Talas research team has an interesting write-up about a tool that they're seeing attacking open unprotected Docker instances.

This is a fairly old technique in the sense that yes, there are all these unprotected Docker APIs available.

And this kind of exposure has of course been used for a while now in order

to install crypto coin miner, which also appears to be this tool's final goal.

Cisco calls this particular bot Xante and the part about the write-up that I sort of found

the most interesting is how it spreads via SSH.

Now, we have seen a lot of bots, of course, that are just brute forcing ZH credentials.

This is not Xanty's approach.

Instead, once it breaks into a particular host, it will search this host for SSH credentials,

public keys, private keys, that are either stored in standard locations like dot SSH or

in configuration files. And then it will use those keys to find other machines that are

trusting the particular compromised system. So this is of course classic in terms of using trust

relationships between systems, in particular if you're using SSH for automated logins,

it's often required that the respective key files are not password protected.

On the other hand, you should also limit what can actually be done with these keys.

Detecting Xanity should really be not a problem.

It's not really all that stealthy, for example, for HTTP requests.

It uses curl, but changes the user agent of curl, and even includes, for example, user agent strings like Xante, that's where the

name comes from, Shell Success, or We Must Have Got Killed, which of course are all user agent

strings that if you're paying attention at all, should stick out pretty easily.

...