1,650 malicious Docker Hub images found posing securely threats
After discovering malicious behaviors in 1,652 of 250,000 unverified Linux images publicly available on Docker Hub, security researchers have warned developers of the risks of using shared container images. Cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors are some of the hidden malicious behaviors.
Docker Hub, is a cloud-based container library that allows users to freely search for and download Docker images, as well as upload their creations to the public library or personal repositories. Containers, on the other hand, are simple to deploy and scale across various computing environments, and DevOps teams frequently use publicly available container images shared by others to reduce time-to-market.
It should be noted that Docker Hub is the most popular free container registry, and Docker images are templates for quickly and easily creating containers with ready-to-use code and applications. As a result, those looking to start new instances frequently use Docker Hub to find an easily deployable application.
According to a Sysdig report, cryptominers accounted for the greatest number of malicious images, followed by images containing embedded secrets such as SSH keys, Amazon Web Services credentials, GitHub tokens, and NPM tokens. According to Sysdig researchers, the injection of embedded secrets on public images could be accidental or intentional.
“By embedding an SSH key or an API key into the container, the attacker can gain access once the container is deployed… For instance, uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and run commands via SSH, similar to implanting a backdoor,” Sysdig said. It goes on to say that threat actors are hiding malware in legitimate-looking Docker Hub images. Despite the fact that the number of malicious containers discovered was a small percentage of the 250,000 examined during the research, it demonstrates the potential risk to developers. Furthermore, the methods described by Sysdig are specifically targeted at cloud and container workloads.
Typosquatting has also been used to disguise cryptominer-laced images as trusted images. The security risk posed by Docker Hub images is only expected to grow as the platform’s use of public repository-based images grows.
The sources for this piece include an article in BleepingComputer.
Watch this news on our Youtube channel: https://www.youtube.com/watch?v=KCXufqB4_qI