Security alert: The threat is coming from inside your Docker container images

3 years ago 486

Five malicious Docker instrumentality images were precocious detected connected Docker Hub, totaling much than 120,000 pulls.

docker-new.jpg

Image: o_m/Shutterstock

There's a caller menace cybersecurity teams request to ticker retired for: malicious Docker containers hiding connected morganatic sites similar Docker Hub, wherever Aqua Security's menace probe arm, Team Nautilus, recovered 5 images accounting for a whopping 120,000 pulls by unsuspecting users.

Team Nautilus is further informing that the malicious Docker images could beryllium portion of a larger bundle proviso concatenation onslaught with its eyes connected disrupting cloud-native environments. Supply concatenation attacks traditionally impact carnal tampering with hardware successful bid to instal malicious codification that tin impact different organizations further down the chain. Consider these Docker images a integer mentation of a portion of instrumentality that's been tampered with to instal malware. 

Attack-wise, the codification being utilized successful the 5 malicious images aims to bash the aforesaid thing: instal a malicious binary called xmrig that secretly mines the Monero cryptocurrency, invisibly eating up strategy resources. 

SEE: Security incidental effect policy (TechRepublic Premium)

Three of the images–thanhtudo, thieunutre and chanquaa–install xmrig utilizing a Python publication called dao.py, which was utilized successful a antecedently discovered malicious Docker representation called azurenql that was pulled 1.5 cardinal times. These 3 images trust connected misspellings to instrumentality users into downloading them, and Nautilus said they're not apt to beryllium portion of the imaginable proviso concatenation attack. 

The different 2 malicious Docker images–openjdk and golang–attempt to instrumentality users into believing they are images for the unfastened root Java implementation OpenJDK and open-source programming connection Go. It's these that are apt portion of a proviso concatenation onslaught aiming to infect the companies that propulsion those images. 

Assaf Morag, Team Nautilus pb information analyst, warned successful a blog station announcing the discovery that proviso concatenation attacks are a superior menace to cloud-native environments. "Organizations should make a information strategy that tin observe and forestall proviso concatenation attacks astatine each signifier of the exertion lifecycle–from physique to production," Morag said. 

Tips for preventing proviso concatenation attacks

In his blog post, Morag recommends 3 strategies for preventing proviso concatenation attacks, starting with controlling entree to nationalist registries and treating immoderate of them being tally arsenic precocious risk. "Create a curated interior registry for basal instrumentality images and bounds who tin entree nationalist registries. Enact policies that guarantee instrumentality images are vetted earlier they are included successful the interior registry," Morag said. 

Second, Morag recommends utilizing static and dynamic malware scanning connected instrumentality images, arsenic galore attackers are capable to obfuscate at-rest code. Monitor progressive images for suspicious postulation and different enactment to beryllium definite malware hasn't been downloaded astatine runtime. 

Morag besides recommends what fundamentally amounts to treating bundle proviso chains the aforesaid arsenic carnal ones: support integrity records. "It's important to guarantee that the instrumentality images successful usage are the aforesaid ones that person been vetted and approved," Morag said. Digital signing, blockchain-based chains-of-custody and different tools guarantee that the Docker representation you're downloading is the nonstop aforesaid 1 that you're expected to be.

On a related note, and arsenic mentioned above, attackers often trust connected radical downloading malicious files, some from Docker Hub and elsewhere by mistake, crafting cautiously misspelled record names apt to spell unnoticed astatine a glance. Be definite to ever cheque that you're downloading from the close root by looking astatine the publisher's profile, speechmaking comments and vetting them earlier causing a information incident. 

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article