Docker daemon has been seen and known for being a security issue since day one, so what?
The industrial scale of the disaster is impressive. As a user, I read such news every 2-3 months...
The Linux ecosystem is no longer a cake.
---
Palo Alto Networks specialists have discovered 30 malicious images in the official Docker container repository. The specialists’ “finds” were downloaded more than 20,000,000 times and were engaged in hidden cryptocurrency mining.
---
CrowdStrike analysts have noticed that Docker images downloaded more than 150,000 times were used to organize DDoS attacks against government websites and news organizations in Russia and Belarus.
---
Sysdig experts have found that over 1,600 images on Docker Hub exhibit various malicious behaviors. They may hide cryptocurrency miners, embedded secrets that can be used as backdoors, DNS compromise malware, and website redirectors.
---
Analysts from the RWTH Aachen University have published a study that found that tens of thousands of container images on Docker Hub contain various secrets, putting software, online platforms, and users at risk of mass attacks.
---
A new malware campaign targeting vulnerable Docker services installs the XMRig miner and 9hits application on hacked hosts. As a result, the attackers monetize the hacked systems not only through mining, but also by generating traffic.
---
Hackers are targeting misconfigured Apache Hadoop YARN, Docker, Confluence, and Redis servers with a new Go-based malware that automates the discovery and compromise of new hosts.
---
Palo Alto Networks experts have discovered a strange cryptojacking worm called Graboid, which uses Docker Engine (Community Edition) containers to spread.
---
Aqua Security has reported attacks that have been occurring in recent months. Unknown attackers scan the network for Docker servers that use API ports that are open to anyone, without passwords. These unprotected hosts are eventually compromised and infected with a mining malware called Kinsing.
---
Since 2017, criminals have increasingly attacked Docker and Kubernetes systems, which had already become widespread by that time.
Although such attacks have become commonplace nowadays, many web developers still do not understand how to properly configure Docker, leaving their servers vulnerable to attackers. The most common of these mistakes is leaving API endpoints for remote administration accessible over the Internet without authentication.
In recent years, such vulnerable servers have been actively searched for and infected by Doki, Ngrok, Kinsing (H2miner), XORDDOS, AESDDOS, Team TNT and other malware, then deploying backdoors or miners on the servers.
Now, specialists from the Chinese company Qihoo 360 have discovered a new malware, Blackrota, which also attacks vulnerable Docker servers. The malware is a simple backdoor Trojan, essentially a simplified version of the CobaltStrike beacon, implemented in the Go language. So far, only a Linux version of the malware has been discovered, and it is unclear how exactly it is used. Researchers are not sure whether there is a Windows version, whether Blackrota is used to mine cryptocurrency, or whether the attackers need powerful cloud servers for DDoS attacks.
---
Researchers from Prevasio analyzed 4,000,000 publicly available Docker images hosted on Docker Hub and found that more than half of them have critical vulnerabilities, and several thousand images contain malicious or potentially dangerous elements.
For the analysis, the specialists used their own Prevasio Analyzer service, which had to work non-stop for a month on 800 machines.
The analysis revealed that 51% of the 4,000,000 images analyzed contain packages or dependencies with at least one critical vulnerability, and another 13% are vulnerable to high-severity bugs.
About 6,400 images (0.16% of the total) were classified as malicious or potentially dangerous due to the presence of malware, cryptocurrency miners, hacking tools, a malicious npm package (flatmap-stream), and Trojan applications. Worse, it turned out that all of these images had been downloaded more than 300,000,000 times. Cryptocurrency miners were found in 44% of the 6,400 containers. While in many cases, developers are honest about their images containing miners, sometimes the miners are hidden.