Over a thousand Docker container images found hiding malicious content

malware
(Image credit: Elchinator from Pixabay)

Over a thousand container images hosted on the popular database repository Docker Hub are malicious, putting users at risk of cyberattack, experts have warned.

According to a report from Sysdig, the images contained nefarious assets such as cryptominers, backdoors, and DNS hijackers. 

Container images are essentially templates for creating applications quickly and easily, without having to start from scratch when reusing certain features. Docker Hub allows users to upload and download these images to and from its public library.

Types of malware

The Docker Library Project reviews images and verifies those it deems to be trustworthy, but there are plenty that remain unverified. Sysdig automatically scanned a quarter of a million unverified Linux images, and found 1,652 to be hiding harmful elements. 

Cryptomining was the most common kind of malicious implant, present in 608 of its scanned images. Next were embedded secrets, such as AWS credentials, SSH keys, GitHub and NPM tokens. These were found in 208 of the images.

Sysdig commented that these embedded keys mean that, “the attacker can gain access once the container is deployed… uploading a public key to a remote server allows the owners of the corresponding private key to open a shell and run commands via SSH, similar to implanting a backdoor.”

Typosquatting was a popular and successful tactic used by threat actors in the compromised images - slightly misspelt versions of popular and trusted images in the hopes that potential victims will not notice and download their fraudulent version instead. 

Indeed, it worked at least 17,000 times, as this was the combined number of downloads of two typosquatted Linux images.

Sysdig claims that there has been a 15% rise this year in the amount of images pulled from the public library, so it looks as if the problem isn’t going away anytime soon.  

TOPICS
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.