Experts warn that over a thousand container images hosted on the popular Docker Hub database repository are malicious, putting users at risk of a cyberattack.
According to a Sysdig report, the images contained nefarious resources such as cryptocurrency miners, backdoors, and DNS hijackers.
Container images are basically templates for quickly and easily developing apps without having to start from scratch reusing some features. Docker Hub allows users to upload and download these images to and from the public library.
Types of Malware
The Docker Library Project reviews the images and verifies the ones it deems trustworthy, but there are many unverified ones. Sysdig automatically scanned a quarter of a million unverified Linux images and found 1,652 hiding malicious elements.
Cryptomining was the most common type of malicious implant, present in 608 scanned images. Then secrets such as AWS credentials, SSH keys, GitHub and NPM tokens were embedded. They were found in 208 paintings.
Sysdig commented that these embedded keys mean “an attacker can gain access once the container is deployed…sending the public key to a remote server allows owners of the corresponding private key to open a shell and run commands via SSH, similar to backdoor implantation.”
Typosquatting was a popular and effective tactic used by cybercriminals in compromised images – slightly misspelled versions of popular and trusted images in the hope that potential victims would not notice and download a fraudulent version instead.
Indeed, it worked at least 17,000 times because that was the combined number of downloads of the two typosquat Linux images.
Sysdig says the number of images downloaded from the public library has increased by 15% this year, so it looks like the problem won’t go away any time soon.