Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious “imageless” containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks.
“Over four million of the repositories in Docker Hub are imageless and have no content except for the repository documentation,” JFrog security researcher Andrey Polkovnichenko said in a report shared with The Hacker News.
What’s more, the documentation has no connection whatsoever to the container. Instead, it’s a web page that’s designed to lure users into visiting phishing or malware-hosting websites.
Of the 4.79 million imageless Docker Hub repositories uncovered, 3.2 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns –
The payload delivered as part of the downloader campaign is designed to contact a command-and-control (C2) server and transmit system metadata, following which the server responds with a link to cracked software.
On the other hand, the exact goal of the website cluster is currently unclear, with the campaign also propagated on sites that have a lax content moderation policy.
“The most concerning aspect of these three campaigns is that there is not a lot that users can do to protect themselves at the outset, other than exercising caution,” Shachar Menashe, senior director of security research at JFrog, said in a statement shared with The Hacker News.
“We’re essentially looking at a malware playground that in some cases has been three years in the making. These threat actors are highly motivated and are hiding behind the credibility of the Docker Hub name to lure victims.”
With threat actors taking painstaking efforts to poison well known utilities, as evidenced in the case of the XZ Utils compromise, it’s imperative that developers exercise caution when it comes to downloading packages from open-source ecosystems/
“As Murphy’s Law suggests, if something can be exploited by malware developers, it inevitably will be, so we expect that these campaigns can be found in more repositories than just Docker Hub,” Menashe said.
