Experts discovered that 30 malicious Docker images with a total number of 20 million pulls were involved in cryptomining operations.
Palo Alto Network researcher Aviv Sasson discovered 30 malicious Docker images, which were downloaded 20 million times, that were involved in cryptojacking operations.
The expert determined the number of cryptocurrencies that were mined to a mining pool account by inspecting the mining pool. Half of the images discovered by the expert were using a shared mining pool, by he estimated that threat actors mined US$200,000 worth of cryptocurrencies in a two-year period.
“One of the easiest ways is cryptojacking – the illegal use of someone else’s computing resources to mine cryptocurrencies. Container images are known as a simple way to distribute software, yet malicious cryptojacking images are also a simple way for attackers to distribute their cryptominers.” reads a post published by Palo Alto Network.
“I decided to take an extensive look into Docker Hub and discovered 30 malicious images with a total number of 20 million pulls (which means the images were downloaded 20 million times), together accounting for cryptojacking operations worth US$200,000.”
Docker Hub is the world’s largest. library and community for container images. It includes over 100,000 container images from software vendors, open-source projects, and the community.
In most attacks, threat actors mined Monero cryptocurrency (90,3%), but Sasson and his team also spotted campaigns aimed at mining Grin (GRIN) (6,5%) or ARO (Aronium) (3,2%) cryptocurrency.
In most attacks that mine Monero, the threat actors used the XMRig miner, but attackers also abused the Hildegard and Graboid miners.
“In most attacks that mine Monero, the attackers used XMRig, just as we saw with Hildegard and Graboid. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source. Hence, attackers can modify its code.” continues the report.
“For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to 0.”
The researchers pointed out that container registries allow users to upgrade their images and also upload a new tag to the registry. Tags are used to reference different versions of the same image.
The researchers noticed that some images have different tags for different CPU architectures or operating systems, in this way the attacker can choose the best cryptominer for the victim’s hardware.
All the tags have in common the wallet address or the mining pool credentials, their analysis allowed the experts to link some of the malicious accounts with past cryptojacking attacks.
“The cloud presents big opportunities for cryptojacking attacks. In my research, I used a cryptomining scanner that only detects simple cryptomining payloads. I also made sure any identified image was malicious by correlating the wallet address to previous attacks. Even with these simple tools, I was able to discover tens of images with millions of pulls.” concludes the expert. “I suspect that this phenomenon may be bigger than what I found, with many instances in which the payload is not easily detectable.”
Palo Alto researchers provided Indicators of Compromise (IoCs) for these attacks and the list of malicious Docker images they discovered.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Docker)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Experts discovered that 30 malicious Docker images with a total number of 20 million pulls were involved in cryptomining operations.
Palo Alto Network researcher Aviv Sasson discovered 30 malicious Docker images, which were downloaded 20 million times, that were involved in cryptojacking operations.
The expert determined the number of cryptocurrencies that were mined to a mining pool account by inspecting the mining pool. Half of the images discovered by the expert were using a shared mining pool, by he estimated that threat actors mined US$200,000 worth of cryptocurrencies in a two-year period.
“One of the easiest ways is cryptojacking – the illegal use of someone else’s computing resources to mine cryptocurrencies. Container images are known as a simple way to distribute software, yet malicious cryptojacking images are also a simple way for attackers to distribute their cryptominers.” reads a post published by Palo Alto Network.
“I decided to take an extensive look into Docker Hub and discovered 30 malicious images with a total number of 20 million pulls (which means the images were downloaded 20 million times), together accounting for cryptojacking operations worth US$200,000.”
Docker Hub is the world’s largest. library and community for container images. It includes over 100,000 container images from software vendors, open-source projects, and the community.
In most attacks, threat actors mined Monero cryptocurrency (90,3%), but Sasson and his team also spotted campaigns aimed at mining Grin (GRIN) (6,5%) or ARO (Aronium) (3,2%) cryptocurrency.
In most attacks that mine Monero, the threat actors used the XMRig miner, but attackers also abused the Hildegard and Graboid miners.
“In most attacks that mine Monero, the attackers used XMRig, just as we saw with Hildegard and Graboid. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source. Hence, attackers can modify its code.” continues the report.
“For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to 0.”
The researchers pointed out that container registries allow users to upgrade their images and also upload a new tag to the registry. Tags are used to reference different versions of the same image.
The researchers noticed that some images have different tags for different CPU architectures or operating systems, in this way the attacker can choose the best cryptominer for the victim’s hardware.
All the tags have in common the wallet address or the mining pool credentials, their analysis allowed the experts to link some of the malicious accounts with past cryptojacking attacks.
“The cloud presents big opportunities for cryptojacking attacks. In my research, I used a cryptomining scanner that only detects simple cryptomining payloads. I also made sure any identified image was malicious by correlating the wallet address to previous attacks. Even with these simple tools, I was able to discover tens of images with millions of pulls.” concludes the expert. “I suspect that this phenomenon may be bigger than what I found, with many instances in which the payload is not easily detectable.”
Palo Alto researchers provided Indicators of Compromise (IoCs) for these attacks and the list of malicious Docker images they discovered.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Docker)