CrowdStrike detects denial-of-service attack using Docker images with target lists that overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army. Credit: Thinkstock Researchers from cybersecurity vendor CrowdStrike have detected a denial-of-service (DoS) attack compromising Docker Engine honeypots to target Russian and Belarusian websites amid the ongoing Russia-Ukraine war. According to the firm, the honeypots were compromised four times between February 27 and March 1, 2022, with two different Docker images that both share target lists that overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army.CrowdStrike has therefore linked the attacks to pro-Ukrainian activity against Russia. It has also warned of the risk of retaliatory activity by threat actors supporting the Russian Federation against organizations being leveraged to conduct disruptive attacks against government, military, and civilian websites.Honeypots compromised via exposed Docker Engine APIThe honeypots were compromised via an exposed Docker Engine API in a technique commonly used by opportunistic campaigns such as LemonDuck or WatchDog to infect misconfigured container engines, CrowdStrike stated in a blog posting. The first Docker image used in the attack was observed in three out of the four incidents and is hosted on Docker Hub. “This image has been downloaded over100,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. The Docker image contains a Go-based HTTP benchmarking tool named bombardier…that uses HTTP-based requests to stress-test a website,” the vendor added. Targeted websites include those in the government, military, media, and retail sectors in both Russia and Belarus. “CrowdStrike Intelligence assesses the activity deploying this Docker image as very likely automated based on closely overlapping timelines in the interaction with the Docker API,” CrowdStrike said.The second Docker image used in the attack has been downloaded over 50,000 times from DockerHub, CrowdStrike continued. “The image contains a custom Go-based DoS program named stoppropaganda…that sends HTTP GET requests to a list of target websites that overloads them with requests. Again, the attack focused on websites of the Russian and Belarusian media, government, military, energy, mining, and finance sectors.” Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe