Cyber criminals have started using malicious container images as an installation means crypto miners on corporate networks, although they can also be used as part of a attack on the supply chain focused on cloud-native environments.
The Cyber Security Company Aqua Security discovered several supply chain attacks that use malicious container images to compromise their victims when Team Nautilus, the threat research team, ran Docker Hub’s daily scan for malicious activity according to a new blog post.
The first three container images the research team discovered (thanhtudo, thienutre, and chanquaa) all run a script called dao.py written in Python and was previously used in several campaigns using crack typo to hide their malicious container images on Docker Hub.
The dao.py script runs a binary called xmrig which is actually a . is Currency cryptocurrency miner hidden in one of the layers of the container image.
Malicious container images
Two of the container images (openjdk and golang) discovered by Aqua Security use misleading titles to appear as official container images of OpenJDK and Golang, respectively.
The cyber criminals behind this campaign designed them so that a busy user might mistake them for official container images, despite the fact that their docker hub bills are not official. After running these container images, the binary xmrig is executed which hijacks network resources for cryptocurrency mining.
While the first two container images (thanhtudo and thienutre) are likely intended to be used as part of a supply chain attack, the others are primarily used to mine cryptocurrency. Still, all five malicious container images have received more than 120,000 pulls from Docker Hub.
To protect your organization and its network from both cryptominers and supply chain attacks, Aqua Security recommends controlling access to public records, scanning container images for malware using both static and dynamic analysis and digitally signing container images to maintain image integrity.