Malicious Docker Images Used to Mine MoneroImages on Docker Hub Contained Cryptominers
A recently uncovered cryptomining scheme used malicious Docker images to hijack organizations’ computing resources to mine cryptocurrency, according to cybersecurity firm Aqua Security. These images were uploaded to the legitimate Docker Hub repository.
The researchers identified five container images on Docker Hub that could be used as part of a supply chain attack targeting cloud-native environments.
Docker is a popular platform-as-a-service container offering for Linux and Windows devices that developers use to help develop and package applications.
Assaf Morag, lead data analyst at Aqua Security, says the researchers found the malicious images after their regular manual analysis of these container images.
"We regularly share this kind of information with Docker Hub and other public registries or repositories (GitHub, Bitbucket etc)," Morag says. "Based on the information we share with Docker Hub, they conduct their investigation and decide whether or not they close the namespace. In this particular case, they closed these namespaces on the same day we had reached out to them. Docker Hub’s reaction and response time are absolutely amazing."
The first three containers found by the researchers - thanhtudo, thieunutre and chanquaa - execute the script dao.py, which is a Python script, a part of several previous campaigns that used typo squatting to hide malicious container images in Docker Hub.
The other two container images are named openjdk and golang. "We haven’t seen any indication that they were used in attacks in the wild but that doesn’t mean that they were or weren’t," Morag notes. "Our goal is to shine a bright light on these container images with misleading names, saying that they contain cryptominer which is executed once you run the container, even though there is no indication in the namespace that this is the purpose of these container images."
Containers Look Official
These malicious containers are designed to easily be misidentified as official container images, even though the Docker Hub accounts responsible for them are not official accounts.
"Once they are running, they may look like an innocent container. After running, the binary xmrig is executed (MD5: 16572572588c2e241225ea2bf6807eff), which hijacks resources for cryptocurrency mining," the researchers note.
Morag says social engineering techniques could be used to trick someone into using these container images.
"I guess you will never log in to the webpage mybunk[.]com, but if the attacker sent you a link to this namespace, it might happen," he says. "The fact is that these container images accumulated 10,000-plus pulls, each."
While it is unclear who’s behind the scheme, the Aqua Security researchers found that the malicious Docker Hub account was taken down after Docker was notified by Aqua Security, according to the report.
Morag explains that these containers are not directly controlled by a hacker, but there's a script at entrypoint/cmd that is aimed to execute an automated attack. In this case, the attacks were limited to hijacking computing resources to mine cryptocurrency.
"When someone runs these container images, there’s a script that 'loads' the mining configuration and executes a binary that is designed to communicate with a mining pool and execute a crypto mining script. In all cases - XMRIG," Morag notes.
Mitigating the Risk
Aqua Security researchers recommend companies improve their defensive measures to reduce the risk of falling victim to this type of attack. "Attackers are increasingly targeting organizations’ software supply chains, and in some cases, they are getting better at hiding their attacks," the researchers say.
"When running containers from a public registry, treat the registry as a source with a high risk of supply chain attacks," the researchers say. "Attackers are trying to trick developers into inadvertently pulling malicious container images by camouflaging them as popular ones. To reduce risk, create a curated internal registry for base container images and limit who can access public registries. Enact policies that ensure container images are vetted before they are included in the internal registry."
Sophisticated attacks are often able to avoid detection when organizations use static, signature or pattern-based scanning, Morag says. "For example, threat actors can evade detection by embedding code in container images that download malware only during runtime," he says. "That’s why in addition to scanning any external unvetted container images for vulnerabilities, you need to use proper tools that dynamically analyze the container behavior in a sandbox to identify attack vectors that wouldn’t be detected with static code scanning."
The researchers also recommend digitally signing container images or using other methods of maintaining image integrity to ensure that the container images in use are the same ones that have been vetted and approved.