Crypto miner in container

Hi all,

I’ve been running a LSIO unifi-controller container in Azure for over 6 months without any issue. The docker host is an Ubunu 18.04 default image, with Docker CE installed…

Just over a week ago I got a message from Azure support saying my account had been disabled due to suspicious activity, following which it tool several days to get a response from them to say they’d seen crypto mining activity on my account.

It then took a couple more days to get my account activated, following which I have been working my way through checking each of my VMs.

A scan on the disk containing the unifi-controller volume immediately picked up a couple of infected files:

/volume1/docker/volumes/unifi/.../.x/stak/xmrig: Multios.Coinminer.Miner-6781728-2 FOUND
/volume1/docker/volumes/unifi/.../.x/h64: Unix.Malware.Agent-1395347 FOUND

The … directory was in the root of the /config mapping on the container - my compose file is below for reference:

version: "2.1"
    container_name: unifi-controller
      - PUID=1000
      - PGID=1000
      - MEM_LIMIT=1024M #optional
      - /volume1/docker/volumes/unifi:/config
      - /volume1/docker/volumes/shared:/shared
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 8443:8443
      - 1900:1900/udp #optional
      - 8843:8843 #optional
      - 8880:8880 #optional
      - 6789:6789 #optional
      - 5514:5514 #optional
    restart: unless-stopped

Basically, in the root of the volume mapped to /config there is a … directory, inside of which is the crypto-miner…

The docker host VM is running just docker CE and the unifi-controller container via the above compose file. It’s configured with public-key only authentication, with the same public key used for other instances, which have not been attacked. I’m definitely not ruling out my error at all, but equally I wanted to share this here in case others have been affected…

I would appreciate any feedback or suggestions on the above - thanks in advance!

Unifi has had a bunch of 0 days the last most popular was log4j.

Thanks for that, I’ll do some more digging!