Malware attacks on Docker Hub spread millions of malicious repositories
Cybersecurity researchers at JFrog recently discovered three malicious campaigns in Docker Hub – Docker’s cloud-based registry service for storing and sharing container images. These campaigns contained millions of repositories that pushed generic Trojan malware to the developers.
The conclusion of JFrog’s findings is that with open-source repositories like Docker Hub, keeping them free of malware is an extremely difficult task.
As the researchers explained, Docker Hub repositories have two main aspects: the images (an application that can be updated and accessed via a fixed name) and the metadata (short descriptions and documentation in HTML format, which are displayed on the main page of the repository). page).
Millions of bad repositories
“Typically, the repository’s documentation aims to explain the purpose of the image and provide guidelines for its use,” the researchers explained.
However, approximately 4.6 million repositories did not contain Docker images, meaning they could not run with a Kubernetes cluster or a Docker engine; they were practically useless. They only contained the overview page that tried to trick developers into visiting phishing websites or other pages with malicious code.
Of the 4.6 million repositories, 2.81 million were linked to three campaigns: ‘Downloader’, ‘eBook Phishing’ and ‘Website SEO’.
In terms of the number of malicious repositories, Downloader was the largest, accounting for almost 10% of the entire share (1,453,228 repositories). However, it did not have as many users (9,309) as, for example, Website SEO (194,699). However, the latter took only 1.4% of the shares and had “only” 215,451 repositories.
With 7.1% of the share, eBook Phishing was second, with 1,069,160 repositories. However, it only had 1,042 users.
JFrog disclosed its findings to Docker, prompting the project to remove the malicious repositories – 3.2 million of them.
“Unlike typical attacks that directly target developers and organizations, in this case the attackers attempted to leverage the credibility of the Docker Hub platform, making it more difficult to identify the attempted phishing and malware installations,” said JFrog.
“Nearly three million malicious repositories, some of which have been active for more than three years, highlight the attackers’ continued misuse of the Docker Hub platform and the need for constant moderation on such platforms.”