17 Cryptomining Malware Installed 5M Times From Docker Hub

Piracy Virus Malware Threat Hacking AH

According to security firm Kromtech, at least one popular Docker image distribution site called Docker Hub allowed as many as 17 malicious Docker images to be downloaded more than five million times over a ten-month span. For those who may not be aware, Docker images serve as a cloud-based pre-configured application running in a contained environment. The images in question, which were made publicly available by an account under the handle “docker123321” were first complained about a full eight months prior to being taken down in May. Unbeknownst to those who downloaded the images, first uploaded in July through August of last year, each contained hidden applications which were designed specifically to mine cryptocurrencies.

The first complaint, via Git Hub, occurred just months later in September. Further complaints were made in January and early May of this year – reported by security firms Sysdig and Fortinet, respectively. Despite those reports, however, the malicious Docker image shenanigans apparently went on until the account was finally deleted by Docker Hub in mid-May. As a result, docker123321 was able to accrue approximately 544.74 Monero. As of this writing, that’s right around $90,000 worth of the cryptocurrency. Perhaps worse, although the images were removed from Docker Hub, they could still be enabled on any server where they were installed. For clarity, each of the seventeen Docker images, as uploaded on Docker Hub was named according to the uploader’s account name. In this case, that means they are all named “docker123321/” followed by the name of the image. The images included are reported by Kromtech as being named, tomcat, tomcat11, tomcat22, kk, mysql, data, mysql0, cron, cronm, cronnn, t1, t2, mysql2, mysql3, mysql4, mysql5, and mysql6. It goes without saying that Docker Hub users who may have installed the Docker images will want to ensure that they double check to prevent slowdowns and other problems caused by the malicious cryptocurrency mining application.

In the meantime, one this appears to have taken so long to fix seems to be the difficult nature of reporting malicious uploads on Docker Hub. According to Kromtech, that has shown to be a major complaint on Git Hub. In fact, there may be even more complaints about this most recent run of bad Docker images which have previously gone unnoticed. What’s more, there appear to be a significant number of Monero mining Docker images uploaded to the site on what appears to be a fairly regular basis. At very least, this is not an isolated incident for tech-savvy users taking advantage of Docker Hub. Having said that, Docker Hub is not alone in what it does by any means. So this may be something that it will need to address in the near future.