Malicious Docker Containers Earn Cryptomining Criminals $90K

Posted on Jun 15, 2018

Malicious Docker Containers Earn Cryptomining Criminals $90K

Seventeen malicious Docker containers earned cryptomining criminals $90,000 in 30 days in what could be a harbinger of things to come. The figure may seem tame compared to some of the larger paydays that cryptojackers have earned. But, researchers at Kromtech Security Center warn containers are shaping up to be the next ripe target for these types of criminals.

Kromtech said the malicious Docker images (17 in total) were pulled down from the Docker Hub image repository. Researchers can’t say for sure how many times the rogue containers were used by Docker Hub users, but Kromtech estimates that the 17 images were downloaded collectively 5 million times during the year they were available. All 17 were removed from Docker Hub on May 10 by Docker, afterFortinetfound the containers and published a report on the images being used to mine cryptocurrency.

Fortinet was able to tie the compromised containers back to one threat actor, thanks to a shared Monero wallet. Kromtech’s report delved deeper into the malicious containers found by Fortinet and the larger Docker threat landscape. Of the 17 malicious containers, Kromtech said nine had the mining software pre-installed.

The others were intentionally left misconfigured and available on Docker Hub, allowing the adversary access to the instances at a later date. Each of the images advertised themselves as tools for various popular software products such as Apache Tomcat, MySql and Cron.