At least 17 rogue images that have been uploaded in batches over the past year were found hosted under a public Docker Hub registry called docker123321. Despite multiple reports from users and security firms since September, the registry was not removed until May this year by which time the images had been pulled over 5 million times.
According to a recent analysis by researchers from Kromtech, the first three images were put up by docker123321 in May 2017 and were called tomcat, tomcat11 and tomcat22. They contained shell scripts that attempted to install reverse shells or to add authorized SSH keys on the user’s host system.
The tomcat image contained scripts that attempted to mount /etc/ from the host filesystem to /mnt/etc/ inside the container, then added a new cronjob to /etc/crontab on the host to execute a Python-based reverse shell every two minutes.
The tomcat11 image had a similar crontab-based payload delivery mechanism, but the cronjob it created set up a Bash-based reverse shell instead. Finally, tomcat22 attempted to mount /root/.ssh/ from the host, then tried to add an attacker-controlled SSH key to /root/.ssh/authorized_keys.
The second batch of malicious images was pushed to docker123321’s registry on Docker Hub between October and December 2017 with names such as kk, mysql, data and mysql0. While the payload delivery was also dependant on cronjobs, the payload itself consisted of cryptocoin mining software, particularly for Monero cryptocurrency.
The upload of rogue images under the docker123321 registry continued with new batches in January and February. Those images exhibited similar malicious behavior: The execution of reverse shells or cryptocurrency mining.
Statistics from the mining pool used by the attackers showed that just one of their wallets received 544.74 XMR (Monero coins) — around $89,000 — that were most likely mined using other people’s cloud infrastructure.
“For ordinary users, just pulling a Docker image from the DockerHub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it,” the Kromtech researchers said.
Docker12331 is not the only public registry on Docker Hub that was found to host malicious images rigged with Monero miners. The more concerning problem is that, until recently, there has been little to no policing done on Docker Hub regarding this issue.
Multiple parties including security firm Fortinet have publicly reported Docker12331’s images as malicious over the past year, first time in September 2017, and yet they remained up until May. Since then, other people have discovered similarly poisoned images hosted under other registries.
“We would like to apologize for the delay in responding to this thread,” a user named Jamin Wong commented this week to an issue about malicious images opened on Docker Hub’s Feedback tracker. “We have removed the reported repositories. Our team is hard at work to improve the user experience on Docker Hub.”
“As with any public repositories, Docker Hub is there for the service of the community,” Wong said. “When dealing with open public repositories and open source code, we recommend that you follow a few best practices. We recommend that users use curated official images in Docker Hub and certified content in Docker Store whenever possible. For community images, verify the content author and inspect the content of the image before running.”
“Docker does not normally police community images unless they contain illegal content,” Wong added. “We do, however, employ dedicated teams to curate official images on Docker Hub and certified images on Docker Store.”
Feature image via Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.