Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious “imageless” containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks.
“Over four million of the repositories in Docker Hub are imageless and have no content except for the repository documentation,” JFrog security researcher Andrey Polkovnichenko said in a report shared with The Hacker News.
What’s more, the documentation has no connection whatsoever to the container. Instead, it’s a web page that’s designed to lure users into visiting phishing or malware-hosting websites.
Of the 4.6 million imageless Docker Hub repositories uncovered, 2.81 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns -
The payload delivered as part of the downloader campaign is designed to contact a command-and-control (C2) server and transmit system metadata, following which the server responds with a link to cracked software.
It’s suspected that the attacks may be part of a larger malware operation, which could involve adware or monetization schemes that derive monetary benefit out of distributing third-party software.
On the other hand, the exact goal of the website cluster is currently unclear, with the campaign also propagated on sites that have a lax content moderation policy.
JFrog said it counted a total of 208,739 fake accounts that the threat actors used to create the malicious and unwanted repositories. Docker has since taken down all of them following responsible disclosure.
“The most concerning aspect of these three campaigns is that there is not a lot that users can do to protect themselves at the outset, other than exercising caution,” Shachar Menashe, senior director of security research at JFrog, said in a statement shared with The Hacker News.
“We’re essentially looking at a malware playground that in some cases has been three years in the making. These threat actors are highly motivated and are hiding behind the credibility of the Docker Hub name to lure victims.”
With threat actors taking painstaking efforts to poison well known utilities, as evidenced in the case of the XZ Utils compromise, it’s imperative that developers exercise caution when it comes to downloading packages from open-source ecosystems.
“As Murphy’s Law suggests, if something can be exploited by malware developers, it inevitably will be, so we expect that these campaigns can be found in more repositories than just Docker Hub,” Menashe said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.