Cybercriminals are beginning to use malicious container images as a way to install crypto miners on their corporate networks, but they can also be used as part of supply chain attacks targeting cloud-native environments.
According to a new blog post, cybersecurity firm Aqua Security uses a malicious container image to damage a threat investigation team, Team Nautilus, when it performs a daily scan of Docker Hub to detect malicious activity. We have discovered some supply chain attacks that endanger people.
The first three container images (thanhtudo, thieunutre, chanquaa) discovered by the research team all ran a script called dao.py written in Python and previously used typosquatting to make malicious containers on Docker Hub. Used in some campaigns to hide the image.
The dao.py script runs a binary called xmrig. This is actually a Monero cryptocurrency miner hidden in one of the layers of the container image.
Malicious container image
The two container images discovered by Aqua Security (openjdk and golang) are displayed as official container images from OpenJDK and Golang, respectively, using misleading titles.
The cybercriminals behind this campaign designed busy users to mistakenly mistake for an official container image, even though their Docker Hub account is unofficial. After running these container images, a binary xmrig that hijacks network resources is run for cryptocurrency mining.
The first two container images (thanhtudo and thieunutre) may be intended to be used as part of a supply chain attack, while the other images are primarily used to mine cryptocurrencies. increase. Still, all five malicious container images have won over 120,000 pulls from Docker Hub.
To protect organizations and their networks from both cryptominers and supply chain attacks, Aqua Security controls access to public registries and uses both static and dynamic analytics to create container images of malware. We recommend scanning and digitally signing the container image to maintain image integrity.
Source link Hackers exploit container technology to carry out supply chain attacks