Security alert: The threat is coming from inside your container images

5 malicious Docker container photographs have been not too long ago detected on Docker Hub, totaling greater than 120,000 pulls.


Picture: o_m/Shutterstock

There is a new menace cybersecurity groups have to be careful for: malicious Docker containers hiding on reputable websites like Docker Hub, the place Aqua Safety’s menace analysis arm, Workforce Nautilus, discovered 5 photographs accounting for a whopping 120,000 pulls by unsuspecting customers.

Workforce Nautilus is additional warning that the malicious Docker photographs may very well be half of a bigger software program provide chain assault with its eyes on disrupting cloud-native environments. Provide chain assaults historically contain bodily tampering with {hardware} with a purpose to set up malicious code that may have an effect on different organizations additional down the chain. Contemplate these Docker photographs a digital model of a chunk of kit that is been tampered with to put in malware. 

Assault-wise, the code getting used within the 5 malicious photographs goals to do the identical factor: set up a malicious binary known as xmrig that secretly mines the Monero cryptocurrency, invisibly consuming up system assets. 

SEE: Safety incident response coverage (TechRepublic Premium)

Three of the photographs–thanhtudo, thieunutre and chanquaa–set up xmrig utilizing a Python script known as, which was utilized in a beforehand found malicious Docker picture known as azurenql that was pulled 1.5 million instances. These three photographs depend on misspellings to trick customers into downloading them, and Nautilus stated they are not prone to be a part of the attainable provide chain assault. 

The opposite two malicious Docker photographs–openjdk and golang–try and trick customers into believing they’re photographs for the open supply Java implementation OpenJDK and open-source programming language Go. It is these which can be probably a part of a provide chain assault aiming to contaminate the businesses that pull these photographs. 

Assaf Morag, Workforce Nautilus lead knowledge analyst, warned in a weblog publish saying the invention that offer chain assaults are a severe menace to cloud-native environments. “Organizations ought to create a safety technique that may detect and forestall provide chain assaults at each stage of the applying lifecycle–from construct to manufacturing,” Morag stated. 

Suggestions for stopping provide chain assaults

In his weblog publish, Morag recommends three methods for stopping provide chain assaults, beginning with controlling entry to public registries and treating any of them being run as excessive threat. “Create a curated inner registry for base container photographs and restrict who can entry public registries. Enact insurance policies that guarantee container photographs are vetted earlier than they’re included within the inner registry,” Morag stated. 

Second, Morag recommends utilizing static and dynamic malware scanning on container photographs, as many attackers are capable of obfuscate at-rest code. Monitor energetic photographs for suspicious site visitors and different exercise to make sure malware hasn’t been downloaded at runtime. 

Morag additionally recommends what mainly quantities to treating software program provide chains the identical as bodily ones: maintain integrity information. “It is necessary to make sure that the container photographs in use are the identical ones which have been vetted and accepted,” Morag stated. Digital signing, blockchain-based chains-of-custody and different instruments make sure that the Docker picture you are downloading is the very same one that you just’re alleged to be.

On a associated notice, and as talked about above, attackers usually depend on folks downloading malicious recordsdata, each from Docker Hub and elsewhere by mistake, crafting fastidiously misspelled file names prone to go unnoticed at a look. Make sure to at all times test that you just’re downloading from the appropriate supply by wanting on the writer’s profile, studying feedback and vetting them earlier than inflicting a safety incident. 

Additionally see

Recent Articles


Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox