It’s now been confirmed that Docker’s team had to pull 17 different container images that had dangerous backdoors stored inside of them. These backdoors had been used to install things like hacked cryptocurrency mining software and reverse shells on servers for approximately the last year. New Docker images don’t go through any sort of security auditing process, so they were listed on the Docker Hub as soon as they were posted in May 2017.
All of the image files were uploaded by a single individual or group operating under the handle of docker123321, which is tied to a registry that was purged on May 10 of this year. A few packages were installed over one million times, though this doesn’t necessarily mean they had actually infected that many machines. Not all backdoors may have ever been activated and users may have installed them more than once or put them on various types of virtualized servers.
Both Docker and Kubernetes, which is an application for managing large scale Docker image deployments, began showing irregular activities as early as September 2017 yet the images were only pulled relatively recently. Users reported unusual happenings on cloud servers and reports were posted on GitHub as well as a popular social networking page.
Linux security experts claim that in a majority of cases where the attacks were actually successful, those carrying out said attacks were using the tainted image files to launch some form of XMRig software on victimized servers in order to mine Monero coins. This gave attackers the ability to mine over $90,000 worth of Monero depending on current exchange rates.
Some servers as of June 15 might still be compromised. Even if the tainted images were deleted, attackers might have obtained some sort of other means to manipulate a server. Some security experts have recommended wiping servers clean, and they’ve gone so far as to insinuate that pulling images from DockerHub without knowing what’s in them may be an unsafe practice for the future.
Those who have only ever deployed homemade images in Docker and Kubernetes environments are not effected, however. The same goes for those who have only ever used certified images.