company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Monero

Docker

Cryptomining

loading..
loading..
loading..

Malicious images spread across Docker Hub generated $20 M

Aviv Sasson discovered malicious images that are distributed across Docker Hub and have generated $200,000 through crypto mining

01-Apr-2021
4 min read

Palo Alto Networks’ Unit 42 cyber researcher Aviv Sasson detected that many rogue images that are distributed across at least 10 various Docker Hub accounts have generated approximately $200,000 through crypto mining. The leading and most well-known case of cryptocurrency is the instance that was discovered by Sasson was Monero. It accounted for at least 90 percent of the entire malicious activity. Monero offers “maximum anonymity” with the aid of its hidden transaction paths, at the same time, it is highly reasonable in terms of price. Its crypto-operations can be executed on any machine, unlike Bitcoin that needs something similar to a GPU with its advanced and higher processing speed so as to mine in a cost-effective way. Sasson found that in a majority of cyber-attacks that mine Monero, the threat actors made use of the well-worn XMRig off-the-shelf miner.

“XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient, and, most importantly, open-source, ” he explained. “Hence, attackers can modify its code. For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to zero.”

In the mining pools, there were two other cryptocurrencies that were discovered: Grin and Arionum. While Grin accounted for 6.5percent of the total activity, Arionum accounted for 3.2 percent.

Malware is distributed via the cloud through trojanized images that were openly accessible to the public within the Docker Hub container registry so as to exploit them in the creation of cloud applications. Anybody may upload images to a Docker Hub account, in the same manner as with public code repositories such as npm or Ruby. Sasson could figure out that the adversaries behind the rogue images have attached tags to them and this is a method to refer to various versions of the exact same image. *** “When examining the tags of the images, I found that some images have different tags for different CPU architectures or operating systems, ”*** he explained. “It seems like some attackers are versatile and add these tags in order to fit a broad range of potential victims that includes a number of operating systems (OS) and CPU architectures. In some images, there are even tags with different types of cryptominers. This way, the attacker can choose the best cryptominer for the victim’s hardware.” The researcher could attach the tags back to the addresses of specific wallets and this permitted him to classify and segregate the campaigns.

*** “After digging deeper, in some cases, I could see that there are numerous Docker Hub accounts that belong to the same campaign, ”*** he explained. “For example, in previous research, Unit 42 found the malicious account azurenql. Now, we discovered that the campaign is broader and includes the accounts 021982, dockerxmrig, ggcloud1, and ggcloud2.”

The discoveries made by Sasson could possibly be just the tip of the iceberg, this is because the cloud offers greater chances for major, even bigger cryptojacking attacks. “It is reasonable to assume that there are many other undiscovered malicious images on Docker Hub and other public registries, ” he said.

“In my research, I used a crypto mining scanner that only detects simple cryptomining payloads. I also made sure any identified image was malicious by correlating the wallet address to previous attacks. Even with these simple tools, I was able to discover tens of images with millions of pulls. I suspect that this phenomenon may be bigger than what I found, with many instances in which the payload is not easily detectable.”