- Security researchers have found more than 1,600 malicious containers hiding in the public registries on Docker Hub images.
- According to research, the most common malicious containers are the ones that come with crypto miners and the ones with embedded secrets come as the second.
- The threat actors are also using popular open-source software names for images, pretending they are legitimate.
A research team from a cloud-native runtime threat detection Sysdig discovered several malicious containers disguised in recently updated Docker Hub images. The researchers examined 250,000 unverified Linux images in Docker Hub for their analysis.
Malicious images in public registries
The Sysdig research team reported that they built a classifier to extract and collect data about recently updated images in Docker Hub. They examined those images to find whether they contained anything anomalous or malicious within the image layers. The data that was taken from Ducker Hub includes secrets, IPs, and URLs. For evaluation researchers used its automated scanners to inspect 250,000 unverified Linux images. Sysdig says automated scanners allowed for the rapid analysis of all the extracted information for hundreds of thousands of images.
Several categories of images were looked into during the analysis. The analysis centered on two main categories, malicious IPs or domains, and secrets. Because both categories could represent a risk for people who download and deploy images publicly available in Docker Hub. As a result, 1,652 images were identified as malicious by the type of malicious content included in their layers.
According to findings, crypto mining images are the most common malicious image type with 608 container images. But the embedded secrets in layers are the second most widespread with 281 images. It may be due to unintentionally poor coding practices or may be done intentionally by a threat actor. The secrets are most commonly SSH keys, AWS credentials, GitHub tokens, NPM tokens, and others.
Typosquatting trick is used
Sysdig also warned that threat actors often hide their malware by naming images as popular open-source software to trick a careless developer to fall for it. This trick is called typosquatting, posing as a legitimate and official image while hiding something nefarious within their layers. The following images are named as legitimate images that provide common services but on the contrary, are hiding cryptocurrency miners.
The researchers noted those images were published by different users although all of them contain the same layers. Meaning that they most likely may be the same threat actor or are following an attacker’s playbook. Also, every one of those users published only one image, making it harder to track this threat actor. The image layers can be explored directly on Docker Hub. The Sysdig threat researcher team adds;
« The methods employed by malicious actors described by Sysdig TRT are specifically targeted at cloud and container workloads. Organizations deploying such workloads should ensure that they enact appropriate preventative and detective security controls that are capable of mitigating cloud-targeting attacks. »