Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Presents you don't want - Malicious images on Docker Hub

Presents you don't want - Malicious images on Docker Hub

Slides from a talk presented at Docker meetup London in July 2018 about a recent wave of malicious images containing backdoors & crypto-mining software being published on Docker Hub.

Stepan Stipl

July 26, 2018
Tweet

More Decks by Stepan Stipl

Other Decks in Technology

Transcript

  1. Štěpán Štípl - Cloud Architect & Engineer, DevOps - Kubernetes

    enthusiast - Clients: Lloyds Banking, Tessian, Yoti, Sky, Tesco, Oracle, HP and others... - Scuba diver, Snowboarder - Bass player - Proud servant of one cat
  2. Backdoored images downloaded 5 million times finally removed from Docker

    Hub -- Ars Technica - 17 docker images - over 10 months - 5+ millions downloads - backdoors, crypto-mining 544 XMR ($90k USD) - 8+ months to remove - GH Issue: "[dockmylife/memorytest] Report malicious image" from September 2017 (https://github.com/docker/hub-feedback/issues/1121) - Not blaming Docker Hub!
  3. - Jan 2018 - Sysdig report - Fishing for Miners

    – Cryptojacking Honeypots in Kubernetes (https://sysdig.com/blog/detecting-cryptojacking/) - May 2018 - Fortinet - Yet Another Crypto Mining Botnet? (https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining- botnet.html) - Jun 2018 - Kromtech - Cryptojacking invades cloud. How modern containerization trend is exploited by attackers - detailed report https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how- modern-containerization-trend-is-exploited-by-attackers - Feb 2018 - Jenkins remote code execution ($1,5m) & Kubernetes (Tesla)
  4. docker123321 - 17 images - Created between July 2017 and

    Jan 2018 - Common names like tomcat, mysql, data, cron - Typically used via unsecured Kubernetes or Docker Docker image name Type of malware docker123321/tomcat, docker123321/mysql2, docker123321/mysql3, docker123321/mysql4, docker123321/mysql5, docker123321/mysql6 Python reverse shell docker123321/tomcat11 Bash reverse shell docker123321/tomcat22 add attacker’s SSH key docker123321/cronm docker123321/cronm, docker123321/cronnn, docker123321/mysql, docker123321/mysql0, docker123321/data, docker123321/t1, docker123321/t2 crypto mining (.jpg file) docker123321/kk crypto mining (.sh file)
  5. Key takeaways - Be aware of this - Runnning an

    unknown image is like running unknown code - Possibly giving someone access to your host - Access to your network - Cloud - permissions associated with instances
  6. Run securely - Build your own images (secure ones :)

    - Run with minimal set of privileges, no root - Run with resource limitations - Read-only fs - Network segmentation, no outbound traffic - Runtime security - Sysdig Falco (https://github.com/draios/falco/)