Cybersecurity researchers have found a number of campaigns concentrating on Docker Hub by planting hundreds of thousands of malicious “imageless” containers over the previous 5 years, as soon as once more underscoring how open-source registries might pave the way in which for provide chain assaults.
“Over 4 million of the repositories in Docker Hub are imageless and haven’t any content material aside from the repository documentation,” JFrog safety researcher Andrey Polkovnichenko stated in a report shared with The Hacker Information.
What’s extra, the documentation has no connection in anyway to the container. As a substitute, it is a internet web page that is designed to lure customers into visiting phishing or malware-hosting web sites.
Of the 4.79 million imageless Docker Hub repositories uncovered, 3.2 million of them are stated to have been used as touchdown pages to redirect unsuspecting customers to fraudulent websites as a part of three broad campaigns –
- Downloader (repositories created within the first half of 2021 and September 2023), which advertises hyperlinks to purported pirated content material or cheats for video video games however both straight hyperlinks to malicious sources or a reputable one which, in flip, comprises JavaScript code that redirects to the malicious payload after 500 milliseconds.
- E-book phishing (repositories created in mid-2021), which redirects customers trying to find e-books to an internet site (“rd.lesac.ru”) that, in flip, urges them to enter their monetary data to obtain the e-book.
- Web site (1000’s of repositories created every day from April 2021 to October 2023), which comprises a hyperlink to an internet diary-hosting service known as Penzu in some instances.
The payload delivered as a part of the downloader marketing campaign is designed to contact a command-and-control (C2) server and transmit system metadata, following which the server responds with a hyperlink to cracked software program.
However, the precise purpose of the web site cluster is presently unclear, with the marketing campaign additionally propagated on websites which have a lax content material moderation coverage.
“Essentially the most regarding side of those three campaigns is that there’s not loads that customers can do to guard themselves on the outset, aside from exercising warning,” Shachar Menashe, senior director of safety analysis at JFrog, stated in a press release shared with The Hacker Information.
“We’re basically taking a look at a malware playground that in some instances has been three years within the making. These risk actors are extremely motivated and are hiding behind the credibility of the Docker Hub title to lure victims.”
With risk actors taking painstaking efforts to poison well-known utilities, as evidenced within the case of the XZ Utils compromise, it is crucial that builders train warning relating to downloading packages from open-source ecosystems/
“As Murphy’s Regulation suggests, if one thing could be exploited by malware builders, it inevitably will likely be, so we count on that these campaigns could be discovered in additional repositories than simply Docker Hub,” Menashe stated.
