Otto
Advanced
- Joined
- 22.09.20
- Messages
- 107
- Reaction score
- 377
- Points
- 63
Researchers from Prevasio studied 4,000,000 public Docker images hosted on Docker Hub and found that more than half of them have critical vulnerabilities, and several thousand images contain malicious or potentially dangerous elements.
For the analysis, the specialists used their own Prevasio Analyzer service, which had to work non-stop for a month on 800 machines.
The analysis revealed that 51% of the 4,000,000 images studied contain packages or dependencies with at least one critical vulnerability, and another 13% are vulnerable to high-severity bugs.
Approximately 6,400 images (0.16% of the total number) were classified as malicious or potentially dangerous due to the presence of malware, cryptocurrency miners, hacker tools, the malicious npm package (flatmap-stream) and Trojan applications. Even worse, it turned out that all these images were downloaded more than 300,000,000 times.
Cryptocurrency miners were found in 44% of the 6,400 containers. Although in many cases developers honestly report that their images contain miners, sometimes the miners are hidden.
"Regardless of the initial intentions, if an employee of a company uses Docker Hub and then runs an image with a miner at work, there is a high probability that the company's resources will not be used as originally intended. The system administrator may find such container images undesirable for the corporate environment or even potentially dangerous, " the experts write.
Also, during the study, images with dynamic payloads were found, that is, the source image itself did not contain anything malicious, but later similar miner code was loaded, compiled, and executed by a special script.
For the analysis, the specialists used their own Prevasio Analyzer service, which had to work non-stop for a month on 800 machines.
The analysis revealed that 51% of the 4,000,000 images studied contain packages or dependencies with at least one critical vulnerability, and another 13% are vulnerable to high-severity bugs.
Approximately 6,400 images (0.16% of the total number) were classified as malicious or potentially dangerous due to the presence of malware, cryptocurrency miners, hacker tools, the malicious npm package (flatmap-stream) and Trojan applications. Even worse, it turned out that all these images were downloaded more than 300,000,000 times.
Cryptocurrency miners were found in 44% of the 6,400 containers. Although in many cases developers honestly report that their images contain miners, sometimes the miners are hidden.
"Regardless of the initial intentions, if an employee of a company uses Docker Hub and then runs an image with a miner at work, there is a high probability that the company's resources will not be used as originally intended. The system administrator may find such container images undesirable for the corporate environment or even potentially dangerous, " the experts write.
Also, during the study, images with dynamic payloads were found, that is, the source image itself did not contain anything malicious, but later similar miner code was loaded, compiled, and executed by a special script.