Docker Hub Hack Affects 190K Accounts, with Concerning Consequences

UPDATE

Docker Hub has confirmed that it was hacked last week; with sensitive data from approximately 190,000 accounts potentially exposed.

“On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data,” Kent Lamb, director of Docker Support, said in an email over the weekend, which a Docker user posted on online. “Upon discovery, we acted quickly to intervene and secure the site.”

The container specialist noted that it was a “brief period” of unauthorized access that impacted less than 5 percent of Hub users; however, the data includes usernames and hashed passwords, as well as Github and Bitbucket tokens for Docker autobuilds.

Docker has revoked GitHub tokens and access keys for affected accounts, and the company warned that this may affect ongoing builds from its automated build service; users “may need to unlink and then relink your GitHub and BitBucket source provider,” Lamb warned.

Torsten George, cybersecurity evangelist at Centrify, told Threatpost that “When you dig deeper into the details of the breach, you’ll see that it’s not about the numbers, but the reach. The big issue about this breach is the fact that the database included tokens from other much-used developer resources, including GitHub and Bitbucket. This breach stresses the importance of application-to-application password management (AAPM) and temporary credentials rather than permanent ones.”

Ramifications and What to Do

Cleanup from the incident could be significant endeavor, according to researchers.

“As a result of this breach, it’s possible that images in your Docker Hub repository may have been tampered with or overwritten,” Wei Lien Dang, vice president of product at StackRox, told Threatpost. “Attacks on the build pipeline can have serious downstream effects on what is currently running inside your infrastructure. Tainted images can be difficult to detect, and the containers launched from them may even run as expected, except with a malicious process in the background. If you use Docker Hub with Kubernetes environments, you’ll also need to roll your ImagePullSecrets.”

Even though the passwords were hashed, Docker Hub users should change their passwords on Docker Hub and any other accounts that share that password. Users can also view security actions on GitHub and BitBucket accounts to check for unauthorized access.

“Unexpected changes in images will have an effect on application behavior, making runtime detection and application baselining critical,” Dang said. “Characterizing the behaviors of individual Kubernetes deployments will highlight deviations in network connectivity, file access and process executions. These deviations are all indicators that malicious activity is taking place within a container. You need the ability to quickly inspect runtime activity within your containers to verify they are running only expected processes.”

Also, because Docker didn’t provide a specific timeline for this breach, no one knows how long ago the unauthorized access occurred. “As with most breaches, the perpetrators may have had access to compromised resources significantly longer than just last week,” Dang said. “To be safe, you should verify recently pushed images going back over the past several weeks. Doing this audit can be difficult, as not every registry will let you filter the data by image age.”

Docker: An Escalating Target?

Docker has been in the security headlines before in the recent past; for instance, in January, researchers hacked the Docker test platform called Play-with-Docker with a proof-of-concept hack, allowing them to access data and manipulate any test Docker containers running on the host system. The team was able to escape the container and run code remotely right on the host.

Also, last year 17 malicious docker images were found available on Docker Hub that allowed hackers to earn $90,000 in cryptojacking profits.

And Docker in 2017 patched a privilege escalation vulnerability that could also have lead to container escapes, allowing a hacker to affect operations of a host from inside a container.

Containers are increasing in popularity among DevOps users in companies of all sizes because they facilitate collaboration, which optimizes their ability to deliver code fast to virtual environments. However, Lacework in an analysis in 2018 noted that securing workloads in public clouds requires a different approach than that used for traditional data centers, where APIs drive the infrastructure and create short-lived workloads. In turn, they’re also becoming more interesting to cybercriminals, Dan Hubbard, chief security architect at Lacework, told Threatpost.

Enterprises also report an accelerating number of container attacks. In fact, 60 percent of respondents in a recent survey acknowledged that their organizations had been hit with at least one container security incident within the past year. In companies with more than 100 containers in place, that percentage rises to 75 percent.

_This story was updated on April 30 to add insight into potential repercussions of the incident. _