Researchers Find over 1,600 Malicious Images on Docker Hub

1600 images in Docker Hub
Written by Emma Davis

Sysdig experts have found that more than 1,600 images on Docker Hub demonstrate various malicious behaviors. They can hide cryptocurrency miners, built-in secrets that can be used as backdoors, DNS compromise malware, and website redirectors.

Let me remind you that we also wrote that Many Repositories on GitHub Are Cloned and Distribute Malware, and also that Dozens of PyPI Packages Distribute W4SP Malware.

More and more attackers are abusing Docker Hub, and more than a thousand malicious images pose a serious threat to unsuspecting users, researchers warn. After all, such dangerous images are eventually deployed in local or cloud containers.

It is noted that many malicious images use tiposquatting, that is, names that are as similar as possible to the names of popular projects, that is, attackers clearly seek to force victims to accidentally download them. Unfortunately, this tactic does not work well, for example, thanks to it, the two images from the illustration below were downloaded almost 17,000 times.

1600 images in Docker Hub

The expert report says that in addition to the images checked by the Docker Library Project, the service contains hundreds of thousands of images with an unknown status. To check them, Sysdig used automated scanners, carefully examining 250,000 unverified Linux images. As a result, 1652 of them turned out to be malicious.

1600 images in Docker Hub

The most widespread in the Docker Hub were miners who used the resources of the victims to mine cryptocurrency. They were found in 608 images. In second place are images with built-in secrets (281 cases). Secrets are SSH keys, AWS credentials, GitHub tokens, NPM tokens, and so on. The researchers write that these secrets could be forgotten in the code by mistake, but they could also be deliberately introduced by attackers.

By the way, the media wrote that Miners Massively Use Free GitHub, Heroku and Buddy Accounts in Their Campaigns.

1600 images in Docker Hub

By embedding an SSH key or an API key in a container, the attacker guarantees himself access after the container is deployed. For example, uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and execute commands via SSH, similar to the introduction of a backdoor.the analysts write.

Sysdig summarizes that, unfortunately, the size of Docker Hub does not allow service operators to check all downloads daily and quickly, and because of this, many malicious images are simply not reported.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply