Their reports follow a warning from Microsoft earlier this month about hackers hijacking Kubeflow, a machine learning toolkit for Kubernetes, and using the cloud computing resources running in Microsoft Azure to mine for cryptocurrency.
Palo Alto Networks’ Unit 42 today said its team found a malicious Docker Hub account that has been active since last October hosting six malicious images that have collectively pulled more than 2 million times. For comparison, legitimate Azure-related images under the official Microsoft Docker Hub account have between a few thousand to 100 million or more downloads or pulls.
Unit 42 Uncovers 2M Downloads
Unit 42 said one of the wallet IDs earned more than 525.38 XMR, or about $36,000. “Additionally, when we last checked minexmr.com for this wallet ID, we saw recent activity indicating that it’s still being used,” the blog post said.
The mining code used in the malicious images evade detection by using network anonymizing tools such as ProxyChains and Tor. However, the researchers say Palo Alto Networks Next-Generation Firewall customers that subscribe to the vendor’s threat prevention service are protected from this threat. Additionally, Palo Alto Networks released a threat signature to prevent network-based delivery of these malicious images.
Last October, Unit 42 researchers uncovered a new cryptojacking worm that infected more than 2,000 unsecured Docker hosts to mine for Monero cryptocurrency. They named the worm “Graboid” in honor of the 1990’s movie “Tremors.”
Aqua Finds Cryptominers in Docker Hub
Meanwhile, Aqua Security researchers today detailed a similar attack method in which hackers hid cryptominers in container images stored in Docker Hub.
The cloud-native security company’s threat team discovered 23 of these container images that had a potentially unwanted application (PUA) hidden within the image layers or downloaded into containers during runtime. Aqua determined these images were likely built by an Algerian hacking group called DzMLT, and said the malicious images were pulled more than 330,000 times.
“After all our research, one question remained: Cumulatively, there were over 330K image pulls, so how did the attackers persuade thousands of people to pull these images directly from Docker Hub? One idea was that this group targeted misconfigured open Docker Daemon API ports,” Assaf Morag, Aqua lead data analyst, wrote in a blog post. “Another possibility was that malware was used to pull and run these images, which is plausible since we know the DzMLT group offers free hacking tools — which were reported as infected with Malware. But the truth is, we may never know the entire story.”
Many of these container images avoided detection by downloading cryptocurrency miners during runtime — which is something that Aqua has repeatedly warned about, and the vendor dynamic threat analysis tool protects against by scanning images during simulated runtime conditions using a secure sandbox.
“This is why at Aqua we recommend that organizations restrict the images that can run only to a pre-approved, scanned, and analyzed set of known images and reject anything else,” Tsvi Korren, field CTO at Aqua Security, said in an earlier interview.