loader gif

Docker Hub removes 17 backdoored images that earned cryptomining cybercriminals over $90,000

security,internet,password,data,breach,alert,antivirus,attack,blue,board,circuit,code,computer,confidential,crime,cybercrime,defense,digital,encryption,firewall,hack,hacked,hacker,hacking,identity,key,leak,lock,log,network,padlock,privacy,protect,protection,random,safe,searching,secure,shielding,software,spy,spyware,stealing,surveillance,technology,theft,thief,threat,virus,vulnerability

Docker Hub has removed 17 malicious container images that were used to install backdoor malware, cryptocurrency miners and reverse shells on users' servers over the past year.

Docker images are packages that include a pre-configured application running on top of an operating system.

According to Kromtech's report, the malicious images uploaded to Docker Hub were collectively downloaded over 5 million times. These Docker images were readily available on the official repository.

Although these docker images saved admins significant amounts of set-up time, hackers exploited them to execute their malicious activities and remained undetected from May 2017 to May 2018. This was primarily due to lack of security audits and a robust testing process. The images were listed directly on the portal without any prior examination.

All 17 images were uploaded on the Docker Hub portal by the same person/group using the pseudonym of 'docker123321'. Each image was advertised as a tool for a popular software product such as Cron, Apache Tomcat or MySql.

In most cases, the researchers observed that attackers used these poisoned images to install XMRig-based Monero miners and have mined up to 544.74 Monero ( about $90,000 as per current exchange rates).

However, users did report malicious activity occurring on their cloud servers due to certain Docker images and Kubernetes instances on Twitter and GitHub.

Following the response, the researchers tracked down all the incidents related to the ‘docker123321’ account and pulled the 17 images from Docker Hub on May 10, after Fortinet published a report linking Docker images created by the account to cryptomining incidents.

Although the 17 malicious images have been removed long back, Kromtech researchers warn that attackers could still have access to the systems due to the embedded reverse shells.

"For ordinary users, just pulling a Docker image from the DockerHub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it," Kromtech researchers said.

Wiping systems is probably the safest way for the users who have used one of the 17 Docker images. When dealing with Docker and Kubernetes-based environments, it is better to use your own Docker images or verified images, whenever possible.

loader gif