Category : Blog
Docker Images Removed From Docker Hub
Docker is a computer program that performs operating-system-level virtualization also known as containerization. It is developed by Docker, Inc. Docker is primarily developed for Linux, where it uses the resource isolation features of the Linux kernel such as cgroups and kernel namespaces.
The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users’ servers for the past year.
The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers.
These Docker images allow sysadmins to quickly start an application container within seconds, without having to create their own Docker app container, a complicated and painstaking process that not all users are technically capable or inclined to do.
Malicious Docker images remained online for a year
Just like it happened with other package repositories in the past —such as Python and npm— malicious actors have uploaded malicious packages on the main Docker Hub repository.
Because new Docker images don’t go through a security audit or testing process, these images were listed on the Docker Hub portal right away, where they remained active between May 2017 and May 2018, when the Docker team finally intervened to pull them down.
All 17 images were uploaded on the Docker Hub portal by the same person/group, using the pseudonym of “docker123321.” Some of these packages have been installed more than one million times, while others were used hundreds of thousands of times.
Took a while before users caught on to what was happening
Signs that something was wrong on the Docker and Kubernetes (app for managing Docker images at a large scale) scene started appearing last September and continued through the winter. Users reported that malicious activity was happening on their cloud servers running Docker and Kubernetes instances. Reports of security incidents involving Docker images were posted on GitHub and Twitter.
Several security firms and security researchers such as Sysdig, Aqua Security, and Alexander Urcioli also published reports about security incidents they’ve observed.
Malicious Docker images taken offline
While the number of security incidents grew, it was only when Fortinet and Kromtech got involved that all the pieces surrounding these hacks got put together, and researcher tracked down all these incidents to the docker123321 account.
Docker removed the 17 backdoored images from Docker Hub on May 10, this year, a week after Fortinet published a report about some of the cryptocurrency mining incidents linking back to Docker images created by the docker123321 account.
Some affected servers may still be compromised
Kromtech researchers warn that some of these images also contained backdoor-like capabilities thanks to the embedded reverse shells.
This means that even if victims stopped using or removed the malicious Docker images, the attacker could have very easily obtained persistence on their systems through other means, possibly granting them access to the system at a later time.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: