Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Docker Hub. Show all posts

Supply Chain Attacks Using Container Images

 

According to cybersecurity firm Aqua Security, a recently discovered crypto mining technique used malicious Docker images to takeover companies' computing resources to mine bitcoin.  

The photos were published to Docker Hub's official repository. The researchers discovered five Docker Hub container images that could be utilised in a supply chain attack against cloud-native systems. Developers use Docker, a prominent platform-as-a-service container provider for Linux and Windows devices, to help them build and package apps. 

According to Assaf Morag, principal data analyst at Aqua Security, the researchers discovered the infected pictures during their routine manual examination. 

"We regularly share this kind of information with Docker Hub and other public registries or repositories (GitHub, Bitbucket, etc)," Morag says. 

"Based on the information we share with Docker Hub, they conduct their investigation and decide whether or not they close the namespace. In this particular case, they closed these namespaces on the same day we had reached out to them. Docker Hub’s reaction and response time are absolutely amazing.” 

The first three containers discovered by the researchers - thanhtudo, thieunutre, and chanquaa - launch the Python script dao.py, which has been used in various past campaigns to obscure harmful container images in Docker Hub via typosquatting. The names of the other two container images are openjdk, and golang are. 

"We haven’t seen any indication that they were used in attacks in the wild but that doesn’t mean that they were or weren’t. Our goal is to shine a bright light on these container images with misleading names, saying that they contain cryptominer which is executed once you run the container, even though there is no indication in the namespace that this is the purpose of these container images." 

These malicious containers are designed to be readily mistaken as legitimate container images, although the Docker Hub accounts responsible for them are not official accounts. 

"Once they are running, they may look like an innocent container. After running, the binary xmrig is executed (MD5: 16572572588c2e241225ea2bf6807eff), which hijacks resources for cryptocurrency mining," the researchers added. 

"I guess you will never log in to the webpage mybunk[.]com, but if the attacker sent you a link to this namespace, it might happen," he says. "The fact is that these container images accumulated 10,000-plus pull, each." 

While it's unknown who's orchestrating the scam, according to the study, the fraudulent Docker Hub account was taken down when Aqua Security alerted Docker. According to Morag, these containers are not directly controlled by a hacker, but a script at the entry point/cmd is designed to launch an automated assault. The assaults, in this case, were confined to stealing computing resources to mine bitcoin. 

Morag added, "When someone runs these container images, there’s a script that 'loads' the mining configuration and executes a binary that is designed to communicate with a mining pool and execute a crypto mining script. In all cases – XMRIG.” 

Attackers are increasingly targeting software supply chains, and they're growing better at concealing their attacks. As a result, businesses should strengthen their security to decrease the chance of falling victim to such an attack. Here are some suggestions to help to enhance the security posture by Aqua Security: 
1. Control access to public registries: When running containers from a public registry, consider the registry a high-risk source for supply chain attacks. Attackers are attempting to dupe developers into unintentionally fetching malicious container images by masquerading them as popular ones. Create a curated internal registry for base container images to minimise risk, and restrict who can access public registries. Implement policies to ensure that container images are verified before they are added to the internal registry. 

2. Scan container images for malware using static and dynamic analysis: When companies utilise static, signature- or pattern-based scanning, sophisticated assaults can easily evade detection. Threat actors, for example, might avoid detection by embedding code in container images that only downloads malware during execution. 

3. Digitally signing container images or utilising other image integrity measures This helps to guarantee that the container images in use are the same ones reviewed and approved.

Docker Hub hack leaked sensitive data of 190,000 users




An unauthorized access to a database was discovered by the Docker Hub that exposed sensitive data of more than 190,000 account holders. 

The exposed informations include username, hashed passwords, tokens for GitHub and Bitbucket repositories.

The company started emailing its customers about the security breach soon after the breach took place. However, it is unclear how hackers got a hold over a single database.

"On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data," said Kent Lamb, Director of Docker Support.

Docker is recommending all  its users to change their password. All the impacted accounts GitHub tokens and access keys, so the user’s with auto builds are impacted.

Docker hub is the cloud repository of images created by users, and it could be downloaded by other users or images created by other communities.

“We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place. Our investigation is still ongoing, and we will share more information as it becomes available,” reads breach report. 


Docker Hub hack exposes sensitive data of 190,000 users

                                                                   

An unauthorized person gained access to a Docker Hub database that exposed sensitive information for approximately 190,000 users. Docker says the hacker had access to this database only for a short moment and the data accessed is only five percent of Docker Hub's entire userbase.

This information included some usernames and hashed passwords, as well as tokens for GitHub and Bitbucket repositories used for Docker autobuilds.

GitHub and Bitbucket access tokens stored in Docker Hub allow developers to modify their project's code and have it automatically build, or autobuild, the image on Docker Hub. If a third-party gains access to these tokens, though, it would allow them to gain access to a private repositories code and possibly modify it depending on the permissions stored in the token.

Docker Hub lost keys and tokens which could have downstream effects if hackers used them to access source code at big companies.

Docker Hub is the official repository for Docker container images. It makes software tools for programmers and developers.

According to a security notice sent late Friday night, Docker became aware of unauthorized access to a Docker Hub database on April 25th, 2019.

Docker disclosed the breach in an email to customers and users of Docker Hub, its cloud-based service that’s used by several companies and thousands of developers all over the world. In the email, obtained by Motherboard, Docker said that the stolen data includes “usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.”

"On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data," said Kent Lamb, Director of Docker Support.

Experts Motherboard spoke to said that, in a worst-case scenario, the hackers would have been able to access proprietary source code from some of those accounts. Specifically, Docker allows developers to run software packages known as “containers.” It is used by some of the largest tech companies in the world, though it is not yet publicly known what information was accessed and which companies’ accounts were affected.