Aqua Security Report Finds Malicious Images on DockerHub

Aqua Security has published a report that identifies five malicious Docker images that have collectively been pulled more than 130,000 times from the Docker Hub repository. The images hijack organizations’ resources to mine cryptocurrency and can be used as part of a supply chain attack targeting cloud-native environments.

Three of the container images—thanhtudo, thieunutre and chanquaa—all execute a Python script dubbed dao.py that has been used in previous attacks that employed typosquatting to hide malicious container images in Docker Hub.

The other two container images—openjdk and golang—use misleading titles to suggest they are official container images approved by the OpenJDK and Golang open source programming tool communities.

The survey is the latest in a series of reports published by Aqua Security detailing various examples of how container security is being compromised. Most recently, the company published a report that finds, among other things, only 3% of respondents recognize that a container, in and of itself, is not a security boundary and that less than a quarter (24%) have plans in place for securing containers at runtime. Only 18% of respondents say they realize they are at risk for zero-day attacks in containerized environments.

Previously, Aqua Security also published a report showing honeypots based on containers being attacked 17,358 times, representing a 26% increase from just the previous six months.

Assaf Morag, lead data analyst for Aqua Security, says while cybercriminals continue to focus on cryptomining attacks, it’s also apparent they can use these images to deliver forms of malware capable of breaching a software supply chain. On the plus side, a recent series of high-profile security breaches is bringing more attention to how modern applications are built using containers, notes Morag. Not many security professionals today have had a lot of exposure to container security, he adds.

Unfortunately, cryptomining is often viewed as a nuisance crime that cybersecurity teams don’t tend to prioritize because most of these attacks involve the hijacking of CPU resources to mine cryptocurrencies. However, as containers become more widely employed within applications that are driving a wide range of digital business processes, the potential threat to organizations becomes more significant, says Morag.

It’s not clear to what degree the rise of DevSecOps best practices might mitigate container security issues as developers gain access to tools that scan for vulnerabilities as applications are built and deployed. Of course, as long as applications are built by humans there will be mistakes made. Cybersecurity teams will need to monitor container applications for vulnerabilities after they are deployed simply because many vulnerabilities are not discovered until after an application is deployed.

Containers are also frequently ripped and replaced, which only creates more opportunities for mistakes to be made. Conversely, whenever a vulnerability is discovered, it’s much simpler and requires less developer effort to replace a container than it is to patch a monolithic application. In that sense, container applications, over time, could prove to be a lot more secure than legacy applications.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1188 posts and counting. See all posts by Mike Vizard