Security researchers at Palo Alto Networks Inc. today detailed a malicious Docker Hub account that was hosting six malicious images used to mine Monero cryptocurrency.
The malicious account is believed to have been active since October 2019. The code used in the malicious images was designed to evade network detection by using network anonymizing tools such as ProxyChains and Tor.
An odd bad actor here or there may not be that newsworthy, but where this differs is that the researchers estimate that the images hosted on the account had been collectively pulled more than 2 million times. By comparison, legitimate Azure related images under the official Microsoft Docker Hub account have anywhere from a few thousand to hundreds of millions of pulls.
One of the wallet IDs identified in the malicious images was found to have raised around $36,000 with activity ongoing. The attackers used two different methods to mine Monero in the malicious images. In one method the code was designed to directly submit mined blocks to the central minexmr pool using a wallet ID. The second method used a hosting service where those behind the images used their own mining pool.
After being informed of the malicious images, the Docker security team pulled the images and canceled the account being used.
Wei Lien Dang, co-founder and chief strategy officer at container security firm StackRox Inc. told SiliconANGLE that software coding today very frequently includes using images that are made available in public registries such as Docker Hub, which makes uploading compromised images a clear attack vector.
“We’ve seen numerous examples of attackers successfully planting cryptominers in public Docker images,” Dang said. “Fundamentally, organizations must take care in the registries their users access for downloading images and the images that are allowed to be used to launch containers. Standard advice includes using private trusted registries and allowing only vetted images to be employed.”
Image: Kyohei Ito/Flickr
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.