Malware News 17 Backdoored Docker Images Removed From Docker Hub (images remained online for a year)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/17-backdoored-docker-images-removed-from-docker-hub/
The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year.

The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers.
These Docker images allow sysadmins to quickly start an application container within seconds, without having to create their own Docker app container, a complicated and painstaking process that not all users are technically capable or inclined to do.

Malicious Docker images remained online for a year

Just like it happened with other package repositories in the past —such as Python [1, 2] and npm [1, 2]— malicious actors have uploaded malicious packages on the main Docker Hub repository.
Because new Docker images don't go through a security audit or testing process, these images were listed on the Docker Hub portal right away, where they remained active between May 2017 and May 2018, when the Docker team finally intervened to pull them down.
Click to expand...
Took a while before users caught on to what was happening

Signs that something was wrong on the Docker and Kubernetes (app for managing Docker images at a large scale) scene started appearing last September and continued through the winter.
Users reported that malicious activity was happening on their cloud servers running Docker and Kubernetes instances. Reports of security incidents involving Docker images were posted on GitHub and Twitter.
Several security firms and security researchers such as Sysdig, Aqua Security, and Alexander Urcioli also published reports about security incidents they've observed.

Even Bleeping Computer ran an article in March about an increase in coin-mining-related security incidents involving Docker and Kubernetes servers, in an attempt to highlight a new rising trend in cloud security.
Click to expand...
Some affected servers may still be compromised

Nonetheless, Kromtech researchers warn that some of these images also contained backdoor-like capabilities thanks to the embedded reverse shells.
This means that even if victims stopped using or removed the malicious Docker images, the attacker could have very easily obtained persistence on their systems through other means, possibly granting them access to the system at a later time.
Click to expand...
 
  • Like
Reactions: Der.Reisende, upnorth and harlan4096
You must log in or register to reply here.

Similar threads

CyberTech
    • +Reputation
    • Thanks
Docker Hub repositories hide over 1,650 malicious containers
Replies
0
Views
496
News Archive
CyberTech
CyberTech
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
Google Cloud Build bug lets hackers launch supply chain attacks
Replies
1
Views
1,341
News Archive
Sandbox Breaker
Sandbox Breaker
cartaphilus
    • Like
Question Can Kaspersky be ran in a container like docker and still scan the files of the host OS?
Replies
1
Views
638
Kaspersky
Xeno1234
Xeno1234

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top