According to the report from Sysdig’s threat research team, thousands of docker container images hosted on the popular Docker Hub database repository are malicious, putting users at risk of cyberattack.
Sysdig’s threat research team conducted an analysis of more than 250,000 Linux images to understand what kind of malicious payloads are hiding in container images on Docker Hub. The result they found was shocking as thousands of images contained nefarious assets like Crypto Miners, Backdoors, and DNS Hijackers.
The Docker Library Project reviews the images and verifies those that it deems trustworthy, but there are many that have yet to be verified. Sysdig automatically scanned 250,000 unverified Linux images and found that 1,652 contained harmful elements.
“The Sysdig Threat Research team created a classifier to extract and collect information about recently updated images on Docker Hub to determine if those images contained something anomalous or malicious within the image layers.” – Sysdig says
What is DockerHub?
Docker Hub is a cloud-based image repository where anyone in the world can download, build, store, and deploy Docker container images for free. It provides access to open source public image repositories, and each user can create their own private repositories to store personal images.
Docker Hub provides official images that are reviewed and published by the Docker Library Project, ensuring that best practices are followed and providing clear documentation and regular updates. Additionally, Docker Hub enables Independent Software Vendors (ISVs) through the Docker Verified Publisher program. The developer tool providers in this program can distribute trusted Dockerized content via Docker Hub with images signed by Verified Publisher, reducing the chance of a user downloading malicious content.
Malicious image categories
By analyzing the number of unverified images, Sysdig’s threat research team discovered various types of dangerous images in the public registries, such as Typosquatting, Cryptominers, and Keys.
cryptomining Images were the most common malicious image type, present in 608 of their scanned images.
Nevertheless, embedded secrets Layered are the second most frequent, highlighting the persistent challenges of managing secrets. Secrets can be embedded in an image due to unintentional poor coding practices or this could be done intentionally by a threat actor. By embedding an SSH key, AWS credentials, GitHub, and NPM tokens. The attacker can gain access once the container is deployed.. These were found in 208 of the images.
To prevent accidental leakage of credentials, sensitive data analysis tools can alert users as part of the development cycle.
Threat actors were using typosquatting as a tactic on compromised images: slightly misspelled versions of popular and trusted images in the hope that potential victims will not notice and download their fraudulent version instead.
Sysdig claims there has been a 15% increase this year in the number of images checked out from the public library, so it looks like the problem won’t go away anytime soon.
The Sysdig team recommends that organizations deploying such workloads ensure they implement proper detective and preventive security controls that are capable of mitigating cloud-targeted attacks.