The Team Nautilus security researchers at Aqua Security have reported the discovery of cryptomining activity that involved 92 malicious Docker Hub registries and 92 Bitbucket repositories, all set up over the course of four days.
The attacks were discovered using a dynamic threat analysis (DTA) tool developed by Aqua for identifying security issues in production environments. The report found cybercriminals are employing a continuous integration process that initiates multiple auto-build processes every hour. During each build, a Monero cryptominer is executed.
The Aqua Security report detailed a kill chain process to eliminate the threat to registries and repositories, and has alerted both Docker, Inc. and Atlassian to the respective Docker Hub and Bitbucket issues. In general, cryptomining is widely considered to be the digital equivalent of a nuisance crime, in that a small amount of processing power is surreptitiously hijacked to mine digital currencies. According to another recent report published by Aqua Security, 95% of the compromised container images it discovered on various repositories were designed to hijack resources for the sole purpose of cryptocurrency mining.
However, Assaf Morag, lead data analyst at Aqua Security, noted that cryptomining malware is increasingly being packaged in images with other forms of malware that is not as harmless. Some of the cybercriminals that have compromised systems to generate digital currency income are now become more ambitious, Morag said.
In addition, Morag said cybercriminals are becoming more adept at jailbreaking from a container image to take over an entire host. Once that’s accomplished, malware spreads laterally across an entire IT environment, Morag noted.
Unfortunately, container security doesn’t always get the attention it deserves. Developers assume they don’t need a lot of dedicated security because container instances typically only run for a few seconds. However, containers are now being created by cybersecurity teams with an intent to compromise software supply chains. It’s also worth noting that, as more stateful applications are built to drive digital business transformation initiatives, many containers are now running for a much longer period of time.
It’s not clear, however, who inside an organization is responsible for identifying compromised containers. Most development teams are only focused on the container images they create. A few containers of unknown origin might not stand out in a repository that has thousands of images. Many of those container images are downloaded by developers under the assumption they are secure because they resided in a repository alongside other frequently used container images. The assumption is that the stewards of the repository are making sure the container images are safe.
Of course, it’s that trust that cybercriminals are counting on. Developers, thanks to the rise of DecSecOps best practices, are taking more responsibility for their own container images. However, like it or not, it is up to cybersecurity teams to root out the rest.
Many organizations are making certain that developers only employ vetted container images downloaded from a private repository. Whatever the strategy, it’s clear cybersecurity teams will need to become more involved in securing software supply chains at a time when organizations are increasingly dependent on them.