Cryptominers revealed in popular images on Docker Hub

Security researcher Aviv Sasson of Unit 42 at Palo Alto Networks has discovered cryptocurrency miners in 30 containers in the Docker Hub library with over 20 million downloads.

Docker Hub is the largest containerized application library, allowing companies to share images internally or with their customers, and the developer community to distribute open source projects.

According to the expert, the images were downloaded from 10 different accounts. In most cases, attackers mined Monero cryptocurrency, with XMRig being the most preferred tool for this purpose. However, some malicious activities were aimed at mining the Grin (GRIN) or ARO (Aronium) cryptocurrencies.

As part of the operation, the attackers were able to extract about $ 200,000 worth of cryptocurrency. Looking through the image tags, Sasson discovered that in some cases there are different tags for processor architectures or operating systems.

“It appears that some attackers are generic and add these tags to match a wide range of potential victims, including a range of operating systems and CPU architectures,” Sasson explained.

He also noticed that there are tags with different types of cryptominers. Thus, the attacker can choose the tag that best suits the victim's equipment. The common element for all image tags was the wallet address or mining pool credentials. Using these identifiers, the researcher was able to link some malicious accounts to previous cryptojacking campaigns .

A complete list of malicious images detected by Sasson can be found here .

Previous Post Next Post