Malicious Docker Hub containers infect 20 million with cryptomining malware
Security researchers have chanced upon a novel cryptomining operation that’s estimated to have netted its authors over $200,000.
Instead of planting cryptomining malware via complex campaigns, cybercriminals simply rolled them inside dozens of container images that have since clocked over 20 million downloads.
Armed with a simple a cryptomining scanner, Palo Alto Networks Unit42 researcher Aviv Sasson discovered 30 malicious images on Docker Hub, which leads him to believe that there “are many other undiscovered malicious images on Docker Hub and other public registries.”
TechRadar needs you!
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Sasson found tainted containers from ten different accounts. He believes piggybacking cryptomining malware inside container images is lucrative since they are hardly inspected when pulled from reputable registries such Docker Hub.
Unsurprisingly, most of the malicious containers mined the Monero cryptocurrency, which is a favourite among unscrupulous users for its enhanced privacy and anonymity. A small number also mined the Grin and Aronium cryptocurrencies as well.
Similarly, the open source XMRig miner was the favourite weapon of choice, while a small percentage used the Xmr-stack miner.
Interestingly, Sasson observed that the malicious uploaders had tagged their tained images with operating system and CPU architectures to deliver optimized payloads.
“The only thing that is common for all the tags in a certain image is the crypto wallet address or the mining pool credentials,” says Sasson who then inspected their mining pool information to estimate the worth of the total cryptocurrency mined using the tainted images.