Hackers Abuse Docker Hub Repositories to Disguise Malicious Containers

The latest discovery

• The type of content was categorized as cryptomining (608), embedded secrets (281), proxy avoidance (266), newly registered domains (134), malicious websites (129), hacking (38), dynamic DNS (33), and others (288).
• Based on the type of leaked secret, these images are subcategorized as SSH keys (155), AWS credentials (146), GitHub tokens (134), NPM tokens (24), and others (78).

How does it work?

• The size of the Docker Hub public library is huge, thus its operators cannot scrutinize all uploads daily. Due to this, many malicious images go unreported.
• These malicious images used typosquatting to impersonate legitimate and trusted images to infect users with cryptominers, such as XMRig.
• Although threat actors used different usernames to publish these images, researchers suggest they most likely belong to the same threat actor or are following the same set of instructions.

Recent attacks on Docker

• At the beginning of this month, a new cryptojacking campaign called Kiss-a-Dog was observed targeting vulnerable cloud infrastructure, including poorly secured Docker and Kubernetes servers.
• In September, Kinsing malware was seen taking advantage of security flaws in the WebLogic Server, targeting container environments via misconfigured open Docker Daemon API ports.

Conclusion