An analysis of over 250,000 Linux images hosted on Docker Hub by researchers over at Sysdig has revealed 1,652 malicious containers hosted in Docker Hub repositories. The analysis focussed only on publicly posted images and did not include official and verified images.
Docker Hub is a cloud-based container library that allows people to search for and post Docker images — templates allow for the quick and easy creation of containers with ready-to-use code and applications.
Like other code repositories like GitHub or PyPI, threat actors use this to their advantage to create images or repositories that resemble legitimate ones to trick unsuspecting users into downloading a malicious image. This isn’t an isolated issue with code repositories either; threat actors often abuse programs like Discord to host malicious software as well.
Sysdig reports that crypto mining images lead the way with 608 malicious images, followed by Embedded secrets at 281 and Proxy avoidance images at 266. The full breakdown of malicious images by type of malicious content is as follows:
- Crypto mining — 608
- Embedded secrets — 281
- Proxy avoidance — 266
- Newly registered domains — 134
- Malicious websites — 129
- Hacking — 38
- Dynamic DNS — 33
- Other — 288
While seeing crypto mining malware at the top of the list isn’t surprising, embedded secret images pose a difficult challenge. Secrets like SSH or API keys embedded in an image can allow a threat actor to gain access once the container is deployed. This can either be caused by bad coding practices from the developer or can be intentionally done by the threat actor themselves.
As mentioned, many of these images are also named after legitimate packages to trick users into downloading them, a practice known as typosquatting. The two images below containing the XMRig miner tool by an author named ‘vibersastra’ have been downloaded over 16,900 times.
In 2022, nearly 61% of all images pulled from Docker Hub came from these public repositories. This is a 15% rise from last year, which means as more users start using images from Docker Hub, more people are at risk of being compromised by a malicious image.
Additionally, most threat actors are only uploading a few malicious images. This ensures that the platform’s overall threat perception doesn’t change significantly even if the image is removed or the author is banned.
In the News: Review: Maono WM821 dual wireless microphone system