Priya PatelTLDR:
Researchers have found millions of malicious “imageless” containers on Docker Hub over the past five years, used in supply chain attacks. These repositories have no content except for documentation that leads users to phishing or malware-hosting websites.
The malicious containers were part of three broad campaigns – Downloader, E-book phishing, and Website – each designed to redirect users to fraudulent sites or collect personal information.
Full Article:
Cybersecurity researchers have uncovered multiple campaigns targeting Docker Hub by planting millions of malicious “imageless” containers over the past five years, raising concerns about supply chain attacks in open-source registries. According to JFrog security researcher Andrey Polkovnichenko, over four million repositories in Docker Hub are imageless and contain no content except for documentation that leads users to phishing or malware-hosting websites.
Of the 4.79 million imageless Docker Hub repositories identified, 3.2 million have been used as landing pages in three broad campaigns – Downloader, E-book phishing, and Website. The Downloader campaign, created between the first half of 2021 and September 2023, directs users to links for pirated content or video game cheats that ultimately lead to malicious sources. The E-book phishing campaign, created in mid-2021, redirects users seeking e-books to a website that prompts them to enter financial information. The Website campaign, active from April 2021 to October 2023, contains links to an online diary-hosting service in some instances.
The payloads delivered by these campaigns include contacting a command-and-control server to transmit system metadata and redirecting users to fraudulent or malicious sites. Shachar Menashe, senior director of security research at JFrog, emphasized the challenge of protecting users from these campaigns, noting that threat actors are using the credibility of Docker Hub to deceive victims. Menashe also highlighted the need for caution when downloading packages from open-source ecosystems to mitigate the risk of supply chain attacks.
Developers are urged to exercise caution and vigilance when accessing open-source repositories to avoid falling victim to malicious actors. Menashe warned that while these specific campaigns targeted Docker Hub, similar threats could exist in other repositories as well. The complex and evolving nature of these attacks underscores the importance of proactive cybersecurity measures to safeguard against supply chain attacks and malware infiltration in open-source ecosystems.
