Threat Watch

Docker Hub Host Images Shipping with Cryptominers

Researchers from Palo Alto Network’s Unit 42 research group have discovered 30 images on Docker Hub embedded with Cryptominers. While most of these miners were embedded with XMRig for Monero mining, Arionum and Grin were also used. In the past, Docker Hub has been used as a central source to disguise images as legitimate applications to hide malware including cryptominers. According to Palo Alto, between the 30 infected images, there were over 20 million downloads, which accumulated about $200,000 in collections for the threat actors controlling the Monero wallets.

ANALYST NOTES

Utilizing Docker Hub has been a reliable way to take advantage of cloud services for malware authors. As more organizations use Docker in the cloud, embedding miners in applications is an easy way for malware to go undetected as resource monitoring is more complicated. Protecting against resource abuse with Docker starts with where one sources images for the containers. If an organization’s team is not building their Docker images, be careful that when a third-party image is pulled, it is vetted and linked by the originating author to avoid malicious impersonation. In the case of cryptocurrency miners, also be sure to implement network monitoring to detect if a container or image has been hijacked and used for mining.

References:

https://unit42.paloaltonetworks.com/malicious-cryptojacking-images/
https://www.bleepingcomputer.com/news/security/docker-hub-images-downloaded-20m-times-come-with-cryptominers/