Over a thousand container images hosted on a site Database Experts have warned that the Docker Hub repository is malicious, putting users at risk of cyberattacks.
According to a report from Sysdig, the images contained nefarious assets such as cryptominers, backdoors, and Domain Name System kidnappers.
Container images are essentially templates for building applications quickly and easily, without having to start from scratch when reusing certain features. Docker Hub allows users to upload and download these images to and from its public library.
Types of malware
The Docker Library Project reviews images and checks for images it considers to be trustworthy, but there are a lot of unverified images. Sysdig automatically checked a quarter of a million unverified ones Linux of the images, and found that 1,652 of them conceal harmful elements.
Cryptomining was the most common type of malignant implant, and it was present in 608 of his scans. Then there were the secrets built in, like AWS credentials, SSH keys, GitHub and NPM tokens. These were found in 208 of the images.
Sysdig commented that these embedded keys mean, “An attacker can gain access as soon as the container is deployed… Uploading a public key to a remote server allows owners of the matching private key to open a shell and run commands over SSH, similar to a transplant to a backdoor.”
Typosquatting has been a common and successful tactic used by attackers on hacked images — slightly misspelled copies of popular, trusted images in the hope that potential victims won’t notice and download their fraudulent version instead.
In fact, it has worked no less than 17,000 times, as that was the total number of downloads for two Linux print images.
Sysdig claims there’s been a 15% spike this year in the amount of images pulled from the public library, so it looks like the problem isn’t going away anytime soon.