"Pro-Ukrainian DoS Attack Compromises Docker Engine Honeypots to Target Russian, Belarusian Websites"
Cybersecurity researchers from CrowdStrike have detected a Denial-of-Service (DoS) attack that has been compromising Docker Engine honeypots to take down Russian and Belarusian websites amid the Russia-Ukraine war. The researchers discovered that the honeypots were compromised four times between February 27 and March 1, 2022, with two different Docker images sharing target lists that overlap with domains shared by the Ukraine government-backed IT Army. Therefore, the attacks are believed to be linked to pro-Ukrainian activity against Russia. CrowdStrike warns of the risk of retaliatory activity by threat actors supporting the Russian Federation against organizations being used to carry out disruptive attacks against government, military, and civilian websites. According to the researchers, the honeypots were compromised through an exposed Docker Engine Application Programming Interface (API). This technique is commonly used by campaigns such as LemonDuck and WatchDog to infect misconfigured container engines. One of the Docker images used in the attack was observed in most of the incidents and is hosted on Docker Hub. It has been downloaded more than 100,000 times, but the number of downloads from compromised infrastructure has not been assessed. The Docker image consists of a Go-based HTTP benchmarking tool that uses HTTP-based requests to stress-test a website. Government, military, media, and retail websites have been targeted. This article continues to discuss CrowdStrike's detection of a DoS attack compromising Docker Engine honeypots to target Russian and Belarusian websites.