Cryptominers in Docker Hub Image

Malicious Docker Hub containers infect 20 million with cryptomining malware. Aviv Sasson, part of the Palo Alto Networks threat intelligence team, Unit 42, discovered 30 malicious images with a total number of 20 million pulls (the images were downloaded 20 million times), together accounting for cryptojacking operations worth US$200,000.

Docker Hub is the largest library of container applications, allowing companies to share images internally or with their customers, or the developer community to distribute open-source projects.

Malicious Cryptojacking Images

The cloud is popular for cryptojacking attacks due to two main reasons:

  • The cloud consists of many instances for each target (e.g. lots of CPUs, lots of containers, lots of virtual machines), which can translate to big mining profits.
  • The cloud is hard to monitor. Miners can run undetected for a long time, and without any detection mechanisms in place, they may run until the user finds an inflated cloud usage bill and realizes that something is wrong.

Modern cloud technology is mainly based on containers, and in some environments, Docker Hub is the default container registry. Attackers can take advantage of it to deploy miners on compromised clouds.

The researcher found 30 images from 10 different Docker Hub accounts that account for over 20 million pulls. It is possible to check how many cryptocurrencies were mined to a mining pool account by inspecting the mining pool.

The most popular cryptocurrency for attackers to mine is Monero. Attackers favor Monero for three reasons:

  • Monero provides maximum anonymity. Monero transitions are hidden. This privacy is perfect for cybercriminals because it means their activity is hidden.
  • The Monero mining algorithm favors CPU mining, unlike many other cryptos that require ASICs or GPU for mining. This is convenient because all computers have CPUs. Thus, the miner can run effectively on any machine. This is even more suitable for containers, of which the vast majority run without a GPU.
  • Monero is a popular coin, and its exchange volume is around US$100 million a day, making it easy for the attackers to sell their coins.
Cryptominer Distribution

In most attacks that mine Monero, the attackers used XMRig. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open-source. Hence, attackers can modify their code.

Cryptominer Distribution

Image Tags

Looking at the image tags, which reference different versions, Sasson discovered that in some cases there are different tags for various processor architectures or operating systems.

“It seems like some attackers are versatile and add these tags to fit a broad range of potential victims that includes a number of operating systems (OS) and CPU architectures.”, Aviv Sasson.

Protection from these Threats

Palo Alto Networks Prisma Cloud customers are protected from these threats through the Cryptominers Runtime Detection feature and the Trusted Images feature. Also, Palo Alto Networks Next-Generation Firewall customers with the Threat Prevention security subscription are protected against the delivery of these images.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Suggested Read

Flan Scan – Cloudflare Released New Network Vulnerability Scanner Tool Based on Nmap

MobiKwik Data Breach – Hackers Selling Over 8TB of Users Personal and Financial Data

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.