A crypto mining scheme has been discovered that employs malicious Docker images to hijack computing resources for mining cryptocurrency. With greater possibilities, these images could be exploited to pursue a supply chain attack aimed at cloud-native environments. The malicious images were uploaded to a valid Docker Hub repository.
What happened?
According to cybersecurity firm Aqua Security, five container images were discovered on Docker Hub during the regular analysis of container images, running commands to hijack resources for cryptocurrency mining.
- The containers named thanhtudo, thieunutre, chanquaa, openjdk, and golang were accessed over 120,000 times by users.
- These containers are not being managed by an attacker directly, although there's a script at the entry point that runs an automated attack. Right now, the attacks are only hijacking computing resources.
Additional insights
- Three of these container images run a python script named dao[.]py. This script has been a part of various campaigns in the past that had used typosquatting to hide container images in the Docker Hub.
- The other two container images only use misleading titles for OpenJDK and Golang to trick users in a hurry. Though, the Docker Hub accounts responsible for these images are not official accounts.
- Two of the malicious container images (thanhtudo and thieunutre) are believed to be used in a supply chain attack.
Conclusion
Cybercriminals are getting better at hiding their attacks to stay ahead of known defenses, especially when it comes to cryptomining attacks. Therefore, organizations are recommended to vet container images before adding them inside the internal registry.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/9610_shutterstock_1780692080.png)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_414767911.jpg)
