Slashdot Mirror

← Back to Stories (view on slashdot.org)

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com)

Posted by BeauHD on from the not-properly-contained dept.

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.

7 of 36 comments (clear)

  1. justification by encrypted · · Score: 5, Insightful

    I have always been too picky to trust peoples images, if theres something I want to use I will build it myself and store it on my private docker repo. Building your business on something anyone can just upload or change seems dangerous. I started to wonder if extra work really made sense, apparently yes.

    1. Re:justification by Bigbutt · · Score: 2

      Yep. Devs and Systems Eng wanted the kubernetes clusters to have internet access in order to download containers. I refused and built containers and pushed them to our internal repo.

      [John]

      --
      Shit better not happen!
  2. Damn it by Tsolias · · Score: 2

    I read that there are images, some backdoors, downloaded gorillion times... and I was ready with the lube next to me... ...but apparently, images can mean .iso files.
    Damn it.

  3. Unbelievable by Ozan · · Score: 3, Informative
    Using Docker in production my heart skipped a beat when I read the headline. But then...

    All 17 images were uploaded on the Docker Hub portal by the same person/group, using the pseudonym of "docker123321."

    WHO THE FUCK pulls an image called docker123321/tomcat22 ?

  4. So you are saying ... by whoever57 · · Score: 2

    Nonetheless, Kromtech researchers warn that some of these images also contained backdoor-like capabilities thanks to the embedded reverse shells.

    This means that even if victims stopped using or removed the malicious Docker images, the attacker could have very easily obtained persistence on their systems through other means, possibly granting them access to the system at a later time.

    So you are saying that when the image is run under Docker, it can write to the host filesystem, open ports, etc.. Isn't it sandboxed?

    I am not sure how one can claim to care about security without a secure sandbox.

    --
    The real "Libtards" are the Libertarians!
    1. Re:So you are saying ... by sjames · · Score: 3, Informative

      That depends on the container, but yes. The spec of a container can include direct access to host resources, including directories, or not. Adding to the fun, if you grant a user sufficient access to docker to run their own images, you have effectively granted them root.

  5. Re: Why not legit? by fisted · · Score: 2

    Indeed, even Hitler agrees with that

    --
    CLI paste? paste.pr0.tips!