Malicious actors are taking advantage of the opportunity to target exposed API endpoints and craft malware-infested images to facilitate distributed denial-of-service (DDoS) attacks and mine cryptocurrencies.
According to a report published by Palo Alto Networks' Unit 42 threat intelligence team, the purpose of these Docker images is to generate funds by deploying a cryptocurrency miner using Docker containers and leveraging the Docker Hub repository to distribute these images.
"Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate," Unit 42 researchers said. "This, combined with coin mining, makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly starts using its compute resources towards cryptojacking."
Wei Lien Dang, Co-Founder and Chief Strategy Officer at StackRox, a Mountain View, Calif.-based leader in security for containers and Kubernetes, says, "Software coding today very frequently includes utilizing images that are made available in public registries such as Docker Hub, which makes uploading compromised images a clear attack vector. We’ve seen numerous examples of attackers successfully planting cryptominers in public Docker images. Fundamentally, organizations must take care in the registries their users access for downloading images and the images that are allowed to be used to launch containers. Standard advice includes using private trusted registries and allowing only vetted images to be employed."
"After a breach on Docker Hub last year, we compiled the following series of protective steps to follow to ensure you haven’t already been the target of a cryptomining attack – these precautions can help:
- rotate your secrets – especially changing your passwords
- audit your images – ensure your teams are using only approved images
- look for unexpected activity – especially changes in process executions and network connectivity
"These kinds of cryptojacking attacks show no sign of abating, so organizations must routinely apply both preventative measures as well as runtime monitoring to ensure they haven’t been compromised," he says.