More than a thousand container images hosted on the popular Docker Hub database repository are malicious, putting users at risk of cyberattack, experts have warned.
According to a report by Sysdig, the images contained nefarious assets such as cryptominers, backdoors, and DNS hijackers.
Container images are essentially templates for building apps quickly and easily, without having to start from scratch by reusing certain features. Docker Hub allows users to upload and download these images to and from their public library.
types of malware
The Docker Library Project reviews the images and verifies those that it deems trustworthy, but there are many that have yet to be verified. Sysdig automatically scanned a quarter of a million unverified Linux images and found that 1652 contained harmful elements.
Cryptomining was the most common type of malicious implant, present in 608 of their scanned images. Then come the built-in secrets, such as AWS credentials, SSH keys, GitHub tokens, and NPM. These were found in 208 of the images.
Sysdig commented that these embedded keys mean that "the attacker can gain access once the container is deployed...uploading a public key to a remote server allows owners of the corresponding private key to open a shell and execute commands via SSH, similar to implanting a backdoor.
Typosquatting was a popular and effective tactic used by threat actors on compromised images: slightly misspelled versions of popular and trusted images in the hope that potential victims will not notice and download their fraudulent version.
In fact, it worked at least 17.000 times, as that was the combined number of downloads for two Linux images with typos.
Sysdig claims there has been a 15% increase this year in the number of images checked out from the public library, so it looks like the problem won't go away anytime soon.