Over a thousand Docker container images found hiding malicious content

Over a thousand container images hosted on the popular database repository Docker Hub are malicious, putting users at risk of cyberattack, experts have warned.

According to a report from Sysdig, the images contained nefarious assets such as cryptominers, backdoors, and DNS hijackers. 

Container images are essentially templates for creating applications quickly and easily, without having to start from scratch when reusing certain features. Docker Hub allows users to upload and download these images to and from its public library.

Types of malware

The Docker Library Project reviews images and verifies those it deems to be trustworthy, but there are plenty that remain unverified. Sysdig automatically scanned a quarter of a million unverified Linux images, and found 1,652 to be hiding harmful elements. 

Cryptomining was the most common kind of malicious implant, present in 608 of its scanned images. Next were embedded secrets, such as AWS credentials, SSH keys, GitHub and NPM tokens. These were found in 208 of the images.

Sysdig commented that these embedded keys mean that, “the attacker can gain access once the container is deployed… uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and run commands via SSH, similar to implanting a backdoor.”

Typosquatting was a popular and successful tactic used by threat actors in the compromised images – slightly misspelt versions of popular and trusted images in the hopes that potential victims will not notice and download their fraudulent version instead. 

Indeed, it worked at least 17,000 times, as this was the combined number of downloads of two typosquatted Linux images.

Sysdig claims that there has been a 15% rise this year in the amount of images pulled from the public library, so it looks as if the problem isn’t going away anytime soon.  

Here’s our pick of the best firewalls to keep you protected

Related posts

Leave a Comment