Cybersecurity researchers have found numerous campaigns targeting Docker Hub by introducing millions of malicious “imageless” containers during the last five years, highlighting the vulnerability of open-source registries to supply chain attacks.
“More than four million Docker Hub repositories are imageless and only contain repository documentation,” explained JFrog security researcher Andrey Polkovnichenko in a report shared with The Hacker News.
These repositories do not have any real connection to the container. Instead, they feature web pages aimed at luring users to visit phishing or malware-infected websites.
Out of the 4.79 million imageless Docker Hub repositories discovered, 3.2 million have been used to redirect users to fraudulent sites in three major campaigns –
- Downloader (repositories created between the first half of 2021 and September 2023), which provides links to pirated content or game cheats but redirects users to malicious sources or legitimate sites containing malicious JavaScript code after a short delay.
- E-book phishing (repositories created in mid-2021), which redirects users looking for e-books to a site (“rd.lesac.ru”) asking for financial details to download the e-book.
- Website (thousands of repositories created daily from April 2021 to October 2023), which includes links to an online diar-hosting service called Penzu in some instances.
The downloader campaign’s payload connects to a command-and-control (C2) server to transmit system metadata and receive a link to cracked software in return.
The purpose of the website cluster campaign is currently unclear, with the activity also observed on sites with lenient content moderation policies.
Shachar Menashe, senior director of security research at JFrog, commented, “The concerning aspect of these campaigns is the difficulty for users to protect themselves initially, other than being cautious.”
“These threat actors have created a space for malware development over three years, leveraging the reputation of Docker Hub to ensnare victims,” added Menashe.
Given the meticulous efforts of threat actors to compromise popular utilities, such as the XZ Utils incident, developers must exercise caution when downloading packages from open-source ecosystems.
“Adhering to Murphy’s Law, if a vulnerability can be exploited by malware developers, it will be, indicating that these malicious campaigns may extend beyond Docker Hub,” warned Menashe.