Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.
“Of course, we can safely assume that these had not been deployed manually. In fact, the attack seems to be fully automated. Attackers have most probably developed a script to find misconfigured Docker and Kubernetes installations. Docker works as a client/server architecture, meaning the service can be fully managed remotely via the REST API,” wrote researcher David Maciejak.
The containers are now gone, but the hackers may have gotten away with up to $90,000 in cryptocurrency, a small but significant amount for such a hack.
“Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero,” said a writer of a report by Kromtech. “By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine 544.74 Monero, which is equal to $90,000.”
“As with public repositories like GitHub, Docker Hub is there for the service of the community. When dealing with open public repositories and open source code, we recommend that you follow a few best practices including: know the content author, scan images before running and use curated official images in Docker Hub and certified content in Docker Store whenever possible,” wrote Docker’s head of security David Lawrence in a Threatpost report.
Interestingly, of late hackers have moved from attacking AWS Elastic Compute servers on Amazon’s platform to Docker and other container-based systems. While there are security systems available to manage Docker and Kubernetes containers, users should remain vigilant and assess their vulnerabilities before hackers get more of an upper hand.