Over a thousand Docker container images found hiding malicious content
>
More than a thousand container images hosted on the popular database repository Docker Hub are malicious, putting users at risk of cyberattacks, experts warn.
According to a report from Sysdig, the images contain nefarious assets such as cryptominers, backdoors and DNS hijackers.
Container images are essentially templates for creating applications quickly and easily, without having to start from scratch when reusing certain features. Docker Hub allows users to upload and download these images to and from the public library.
Types of malware
The Docker Library Project reviews images and verifies those it deems reliable, but there are plenty that are unverified. Sysdig automatically scanned a quarter of a million unauthenticated Linux images and found 1,652 hiding malicious elements.
Cryptomining was the most common form of malignant implant, present in 608 of the scanned images. Next came embedded secrets, such as AWS credentials, SSH keys, GitHub, and NPM tokens. These were found in 208 of the images.
Sysdig noted that these embedded keys mean that “the attacker can gain access once the container is deployed…by uploading a public key to a remote server, the owners of the corresponding private key can open a shell and execute commands via SSH, similar to implanting a back door.”
Typosquatting was a popular and successful tactic used by threat actors in the compromised images – slightly misspelled versions of popular and trusted images in the hope that potential victims won’t notice and download their fraudulent version instead.
Indeed, it worked at least 17,000 times, as this was the combined number of downloads from two typosquatted Linux images.
Sysdig claims that the number of images pulled from the public library has increased by 15% this year, so it looks like the problem won’t go away any time soon.