Researchers Found Images on Docker Hub That Contained Cryptominers
A recently uncovered cryptomining scheme used malicious Docker images to hide cryptocurrency mining code, according to Palo Alto Networks’ Unit 42. These images were uploaded to the legitimate Docker Hub repository.
See Also: Role of Deception in the ‘New Normal’
The Unit 42 researchers identified six variants of this Docker image that contained the XMRig cryptominer, which enabled hackers to mine Monero from compromised Docker containers.
These images, which were hosted in an account on the official Docker Hub repository, had been downloaded over 2 million times. One of the crypto wallets associated with the hackers contained approximately 525 Monero virtual coins that were worth about $36,000, the report notes.
While it is unclear who’s behind the scheme, the Unit 42 researchers found that the malicious Docker Hub account was created and activated in October 2019 and was primarily used to distribute the images. Docker took down the account after it was notified by Unit 42, according to the report.
Leveraging a Popular Platform
Docker is a popular platform-as-a-service offering for Linux and Windows devices that developers use to help develop and package applications.
“Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate,” the report notes. “This … makes it easy for a malicious actor to distribute their [malicious] images to any machine that supports Docker and start using its computing resources toward cryptojacking.”
Although the campaign is currently inactive, the researchers warn that attackers could resume their activities simply by setting up other accounts.
The malicious images were built using a custom mining code that is loaded as soon as the victim opens the images, Unit 42 researchers note. Hackers hosted the images in a Docker Hub repository that resembled Microsoft Azure packages in order to trick the victims to download them.
“All the images here have a version of a custom Python script that starts the coin mining process using network anonymizing tools like Tor and ProxyChains,” says Ashutosh Chitwadgi, principal software engineer at Unit 42. “This script is registered as the entry point for the images so that as soon as the image is launched, the script and thus coin mining starts.”
To make identification of mining traffic on a network difficult, hackers use the Tor browser and Proxychains – open source software that allows users to run their programs through a proxy server, Chitwadgi notes.
“A firewall sitting between the victim miner and the internet would only see encrypted Tor traffic instead of the coin mining traffic that could trigger a different security team response compared to cleartext coin mining activity,” Chitwadgi tells Information Security Media Group.
The malware used in these attacks checked an infected device and determined what CPU was being used as well as changed the hash setting to allow the cryptominer to work, according to the report. Then the XMRig cryptominer was downloaded from a GitHub repository and began mining for Monero.
In the final stage of the attack, the threat actors mined Monero using two methods, the report notes.
“In the first method, the attacker is directly submitting the mined blocks to the central minexmr pool using a wallet ID,” according to the report. “Whereas in the second method, the author has instances deployed on a hosting service running their own mining pool that are used to collect mined blocks.”
Mitigating the Risk
Because it’s likely that hackers can revive the campaign simply by setting up a new Docker Hub account, Chitwadgi suggests Docker users automatically deploy cloud security tools that can scan for known vulnerabilities and provide alerts on dangerous configurations.
“This can help to maintain the security of all container components consistently and over time,” he says.
Chitwadgi also suggests users frequently check for any unknown containers or images in their systems. He also advises caution when downloading images from unknown registries or unknown user namespaces.