gRPC/h2c Protocol Abuse Enables XRP Cryptomining via Docker Servers

Threat actors are exploiting Docker remote API servers for cryptomining, with a particular focus on mining XRP, a cryptocurrency designed for quick, low-cost international transfers. As the native token of the Ripple network, XRP supports a blockchain-based payment protocol that enables real-time, cross-border transactions for financial institutions, making it an attractive target for malicious actors seeking to profit from its value.

The attackers in this case are taking advantage of gRPC over h3c (clear-text HTTP/2), which allows them to bypass common security defenses. gRPC, designed for efficient communication between services, is leveraged here for malicious purposes.

Breakdown of Attack Steps

1. Initial Access and API Probing:
   • The attacker begins by pinging the Docker server to check its availability. Once they confirm access, they send a version check request (Figure 3) to identify the Docker version in use. This step is crucial because it helps the attacker understand whether the server is running a version susceptible to their method of exploitation. A version with known vulnerabilities or misconfigurations is highly advantageous for the attacker.
2. Exploiting gRPC/h3c for Command Execution:
   • After verifying that the target is vulnerable, the attacker initiates a gRPC protocol upgrade (Figure 4), upgrading the connection to HTTP/2 over clear text (h3c). This upgrade evades many security tools that primarily monitor traditional HTTP traffic and do not account for protocol changes. gRPC’s support for high-performance, bi-directional communication becomes an asset to the attacker, allowing them to communicate with the Docker server covertly.
3. Advanced gRPC Methods for Full Control:
   • The attacker then makes use of several gRPC methods, which are part of Docker’s API, to manage the server. These include:
     • Health checks (/grpc.health.v1.Health/Check and /grpc.health.v1.Health/Watch), which ensure that the attacker’s actions do not disrupt the Docker environment in a way that would raise suspicion. These methods allow continuous monitoring of the health status of Docker containers.
     • File Synchronization (/moby.filesync.v1.FileSync/DiffCopy and /moby.filesync.v1.FileSync/TarStream), used to transfer and synchronize files between the attacker’s server and the Docker host. This enables efficient deployment of malicious software, with minimal data transfer.
     • Authentication Management (/moby.filesync.v1.Auth/Credentials and /moby.filesync.v1.Auth/FetchToken), allowing the attacker to manipulate authentication tokens. By gaining control of these tokens, they ensure persistent access to the Docker environment.
4. Cryptominer Deployment:
   • With the Docker server fully compromised, the attacker downloads the SRBMiner cryptominer from GitHub. SRBMiner is specifically designed for mining various cryptocurrencies, including XRP, using system resources for illicit purposes. Once installed, the miner is connected to the attacker’s cryptocurrency wallet and public IP address, effectively hijacking the server’s computational power to generate XRP for the attacker.

Impact of the Attack

This cryptomining operation places significant strain on compromised Docker environments. Cryptomining activities classically consume large amounts of CPU and GPU resources, resulting in degraded performance for legitimate applications running on the same server. This can lead to operational inefficiencies, increased cloud hosting costs, and potentially raise suspicion if the degradation in service is noticed by users or administrators.

Furthermore, the attack demonstrates a growing trend of targeting cloud infrastructures. Docker, widely used for its flexibility in building and deploying containerized applications, has become an attractive target for cybercriminals due to the increasing number of misconfigured and exposed Docker APIs. By exploiting gRPC/h3c in this attack, the adversaries also highlight a gap in many organizations’ security postures, particularly regarding modern communication protocols.

Detecting the Docker Attack

Detecting an attack on Docker remote API servers, like the SRBMiner cryptominer deployment, involves monitoring for several key indicators. First, network traffic analysis should be conducted to detect unusual or unauthorized requests to the Docker API, particularly attempts to upgrade to gRPC/h3c protocols. Since this is not a default method for Docker communication, such requests can be flagged as suspicious. Additionally, regular auditing of CPU, memory, and disk usage can reveal abnormal resource consumption patterns typical of cryptomining activity. Any unexpected spikes in system performance, especially related to Docker containers, should trigger further investigation. Intrusion detection systems (IDS) or endpoint detection and response (EDR) solutions can also be configured to identify unusual API calls, such as those related to file synchronization, health checks, or unauthorized authentication token management. Finally, implementing access controls and logging API activity can help detect and trace any unauthorized access attempts or malicious changes in real-time.

Further Security Considerations

The use of clear text HTTP/2 (h3c) in this attack underscores the need for organizations to implement encrypted communication channels like TLS for all remote API access. This would prevent attackers from upgrading to insecure protocols without detection.

In addition, intrusion detection systems (IDS) should be configured to detect protocol upgrades, particularly from HTTP to gRPC or h3c, as this can often indicate an attempt to bypass standard security filters. Network segmentation is another key defense in this situation—limiting access to critical infrastructure like Docker APIs to trusted IPs or internal networks can significantly reduce exposure.

Lastly, organizations should regularly audit Docker API configurations and monitor for unusual network traffic or system resource usage spikes. Detecting cryptomining activity early is key to minimizing damage and preventing attackers from gaining a foothold.

By targeting poorly secured Docker APIs and using advanced techniques like gRPC/h3c, attackers can gain control of cloud resources and deploy cryptominers with relative ease. Strengthening Docker security through proper API configurations, TLS, access controls, and proactive monitoring is essential in defending against these threats.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. As part of our commitment to supporting businesses in their compliance journey, we offer CMMC (Cybersecurity Maturity Model Certification) preparation services. Our team assists organizations in understanding the CMMC requirements and developing the necessary controls to meet compliance standards, ensuring they are well-prepared for CMMC assessments.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact