2.8 million Docker Hub repositories infected with malware or phishing
Once again, there have been attacks on public repositories, this time on Docker Hub. The hackers distributed Trojans or stole credit card data.
Vulnerabilities threaten appliances.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Security specialists from the DevOps platform JFrog have found 2.8 million malicious Docker Hub repositories, which corresponds to 19 percent of all repos. These were imageless directories that only contained metadata, in particular a description with phishing or malware links.
Hackers are increasingly attacking public software repositories in order to distribute malicious code or phishing links. One such attack has now hit Docker Hub, a service used by developers to manage Docker images and make them publicly available to other users. In addition to images, the repos contain metadata, in particular a description of the functions of the respective images. In an analysis carried out as part of a partnership with Docker, JFrog found that 4.6 million of the 15 million repos do not contain an image at all, but only the description. Almost three million of these were used for malicious purposes but have since been deleted.
(Bild: JFrog)
Over time, JFrog found two major attacks in 2021 and 2023 and a smaller, steadily operating one. In terms of content, there were mainly three types of attacks:
- Downloader: the descriptions in the Docker Hub metadata advertised a program that was supposed to deliver illegal downloads or game cheats, but actually contained a Trojan.
- E-book: The texts promised free e-books, but the underlying websites attempted to steal credit card details or foist a subscription service (40 to 60 euros per month).
- SEO: A small, unclear campaign that was unable to cause any direct damage. The analysts at JFrog suspect a test series.
The hackers were able to take advantage of the fact that Docker checks images for malicious code, but not the metadata. The effort behind the campaigns was enormous, as all pages were slightly different and set by different users. This indicates a high potential for expectation on the part of the criminals. JFrog informed Docker before the analysis was published and the operator deleted the pages.
(Bild: JFrog)
In the description of the attack, the security analysts point out that Docker Hub users should pay attention to the Trusted Content field in repos. This shows that Docker has checked the operators of the repo.
(who)
