Docker Hub and Bitbucket Resources Hijacked for Crypto-Mining


Security researchers are warning of a resurgent campaign to hijack developer resources for cryptocurrency mining.

A team from Aqua Security explained that over the period of just four days, attackers set up 92 malicious Docker Hub registries and 92 Bitbucket repositories to abuse these resources.

“The adversaries create a continuous integration process that every hour initiates multiple auto-build processes, and on each build, a Monero cryptominer is executed,” said Aqua Security’s lead data analyst, Assaf Morag.

The kill chain is pretty straightforward. First, the attackers register multiple fake email accounts using a Russian provider. They then set up a Bitbucket account with several repositories. These use official documentation to appear legitimate.

They do a similar thing with Docker Hub, creating an account with several linked registries.

The images are built on Docker Hub/Bitbucket environments and subsequently hijack their resources to illegally mine cryptocurrency.

Morag concluded that developer environments like these are an increasingly popular target for cyber-criminals as they are often overlooked by security teams.

“This campaign shows the ever-growing sophistication of attacks targeting the cloud native stack. Bad actors are constantly evolving their techniques to hijack and exploit cloud compute resources for cryptocurrency mining,” he warned.

“As always, we recommend that such environments have strict access controls, authentication, and least-privilege enforcement, but also continuous monitoring and restrictions on outbound network connections to prevent both data theft and resource abuse.”

The discovery comes just a few months after Aqua Security spotted a similar campaign. In September last year, it detected a campaign targeting the automated build processes of Docker Hub and GitHub. The affected services were notified and blocked the attack that time.

“The build systems used to create software should always be secured to ensure they only process requests related to legitimate projects. There are many reasons for this, but the most important of which is to ensure that what is being built is something that should be built,” argued Synopsys principal security strategist, Tim Mackey.

“When build systems and build processes are moved to cloud based systems, the risk profile for the build system now extends to the capabilities of the cloud provider as well. While major public providers of software build services, like GitHub or Docker, will have protections in place to limit client risk, as this report shows, they are not immune from attack.”

Leave a Reply