Freely subscribe to our NEWSLETTER

Analysis of the container images

Below are the five malicious container images we detected:

Container image in Docker Hub Detected Contains Contains Number of pulls
thanhtudo/thanhtudo:latest 01/07/2021 cryptominer dao.py script 100K+
thieunutre/thieunutre:latest 15/07/2021 cryptominer dao.py script 11
chanquaa/chanquaa:latest 30/12/2020 cryptominer dao.py script 18
c43602f9cc95/openjdk:0da242bd93b7f 04/07/2021 ? Execute _ xmrig 10K+
700888880a0/golang:e2e26c727b88 04/07/2021 ? Execute xmrig 10K+

The first three container images – thanhtudo, thieunutre, and chanquaa – all execute the script dao.py. This Python script was part of several previous campaigns that used typo squatting to hide malicious container images in Docker Hub (azurenql, about 1.5 million pulls). As seen below, the script executes a binary called xmrig (MD5: 4873e560df68ad96c3de08164b139b09), which is a Monero cryptocurrency miner hiding in one of the layers of the container image.

Two of the container images – openjdk and golang – used misleading titles that suggest they are official container images from OpenJDK and Golang, respectively. They are designed so that a user who is unfocused or in a hurry might mistake them as official container images, even though the Docker Hub accounts responsible for them are not official accounts. Once they are running, they may look like an innocent container. After running, the binary xmrig is executed (MD5: 16572572588c2e241225ea2bf6807eff), which hijacks resources for cryptocurrency mining.

While the first two container images are likely to be used as part of a supply chain attack, the rest are less likely to be considered as popular or legitimate container images. Collectively, these malicious container images gained more than 120,000 pulls.

How to protect against supply chain attacks

Attackers are increasingly targeting organisations’ software supply chains, and in some cases, they are getting better at hiding their attacks. Therefore, companies should improve their defensive measures to reduce the risk of falling victim to this type of attack. Here are some recommendations that will help you improve your security posture:

Control access to public registries

When running containers from a public registry, treat the registry as a source with a high risk of supply chain attacks. Attackers are trying to trick developers into inadvertently pulling malicious container images by camouflaging them as popular ones. To reduce risk, create a curated internal registry for base container images and limit who can access public registries. Enact policies that ensure container images are vetted before they are included in the internal registry.

Scan container images for malware using both static and dynamic analysis
Sophisticated attacks are often able to avoid detection when organisations use static, signature- or pattern-based scanning. For example, threat actors can evade detection by embedding code in container images that downloads malware only during runtime.

That’s why in addition to scanning any external unvetted container images for vulnerabilities, you need to use tools, such as Aqua Dynamic Threat Analysis (DTA), that dynamically analyse the container behaviour in a sandbox to identify attack vectors that wouldn’t be detected with static code scanning.
Digitally sign container images or use other methods of maintaining image integrity

It’s important to ensure that the container images in use are the same ones that have been vetted and approved. Using the Aqua platform, all scanned container images are automatically fingerprinted and tracked, which detects and prevents the use of non-compliant or unknown container images in your environment.

Conclusion

Supply chain attacks are a major threat to cloud native environments. Team Nautilus has identified five malicious container images that are hosted on Docker Hub, all of which aim to hijack resources for cryptocurrency mining. Organisations should create a security strategy that can detect and prevent supply chain attacks at every stage of the application lifecycle – from build to production.