Skip to content
Sign In Subscribe
Cybersecurity | english only |NewsCybersecurityEnglish

Docker Hub repositories hide over 1,650 malicious containers

 and  Katalin Béres
2 min read

Table of Contents

Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors.
Docker Hub is a cloud-based container library allowing people to freely search and download Docker images or upload their creations to the public library or personal repositories.
Docker images are templates for the quick and easy creation of containers that contain ready-to-use code and applications. Therefore, those looking to set up new instances often turn to Docker Hub to quickly find an easily deployable application.
Unfortunately, due to abuse of the service by threat actors, over a thousand malicious uploads introduce severe risks to unsuspecting users deploying malware-laden images on locally hosted or cloud-based containers.
Many malicious images use names that disguise them as popular and trustworthy projects, so threat actors clearly uploaded them to trick users into downloading them.
Researchers at Sysdig looked into the issue, trying to evaluate the scale of the problem, and reported on the found images that feature some form of malicious code or mechanism.

Docker Hub traps

Apart from images reviewed by the Docker Library Project, which are verified to be trustworthy, hundreds of thousands of images with an unknown status are on the service.
Sysdig used its automated scanners to scrutinize 250,000 unverified Linux images and identified 1,652 of them as malicious.
The largest category was that of crypto-miners, found in 608 container images, targeting server resources to mine cryptocurrency for the threat actors.
Types of malicious images on Docker Hub(Sysdig)
The second most-common occurrence were images hiding embedded secrets, measuring 281 cases. The secrets embedded in these images are SSH keys, AWS credentials, GitHub tokens, NPM tokens, and others.
Types of secrets left in Docker images(Sysdig)
Docker Hub repositories hide over 1,650 malicious containers
Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors.
BleepingComputerBill Toulas
Full article can be read here

#SupplyChain

Related

Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28
Cybersecurity | english only |

Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28

Ukrainian hacktivist team Cyber Resistance hacked the email of Lieutenant Colonel Sergey Alexandrovich Morgachev, an officer of the Russian Main Intelligence Directorate of the General Staff of the Russian Army (GRU), leader of the Russian hacker group APT 28, consisting of officers of the 85th Main Special Service Center of

 and  Katalin Béres
Members Public
Supply Chain Attack Against Customers Of Business Phone Provider 3CX Using Trojanized 3CX Desktop App
Cybersecurity | english only |

Supply Chain Attack Against Customers Of Business Phone Provider 3CX Using Trojanized 3CX Desktop App

Hackers may have compromised the networks of thousands of businesses due to a supply-chain attack on the enterprise phone company 3CX, which confirmed on Thursday its desktop app had been bundled with malware. 3CX provides office phone systems to more than 12 million daily users at over 600,000 companies,

 and  Katalin Béres
Members Public
Analysis of the "#VulkanFiles" Leak
Cybersecurity | english only |

Analysis of the "#VulkanFiles" Leak

A whistleblower has provided several media organizations with access to leaked documents from a Russian IT firm named NTC Vulkan (Russian: НТЦ Вулкан) that allegedly show how the firm supports Russia's military and intelligence agencies with cyber warfare tools. Journalists from Der Spiegel and Munich-based investigative group Paper

 and  Katalin Béres
Members Public

Latest

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS
News

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

Palo Alto Networks released security updates for two actively exploited zero-day vulnerabilities in Palo Alto Networks PAN-OS. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to gain administrator privileges, or a PAN-OS administrator to perform actions on the firewall with root privileges. It recommended applying the updates and

 and  Ferenc Fresz
Members Public
Modern zsarolóvírusok
Ransomware

Modern zsarolóvírusok

A Magyar Védelmi Beszerzési Ügnynökséget az INC Ransom csoport támadta és zsarolta meg 2024. októberében. Az elmúlt időszakban megszaporodtak azok a magyarországi zsarolóvírus támadások, amelyek során az INC és a vele csaknem 71%-ban azonos Lynx zsarolóvírusokat használták a támadók.

 and  Ferenc Fresz
Members Public