A series of malicious cryptojacking files that were stored on Docker Hub, a code repository site, have been downloaded more than 5 million times over the last year, helping a hacker infect countless computers that were used to mine about $90,000 worth of Monero, according to research from cybersecurity company Kromtech.
Monero is a popular cryptocurrency that’s become known for its usage among cyber criminals.
In a blog post published Tuesday, Kromtech discussed how the boobytrapped files had remained on Docker Hub for so long despite being noticed and reported multiple times.
Docker Hub is a repository site for containerized applications. Kromtech describes these containers as a “way of packaging software.” They are also referred to as images, container images or Docker images.
“You can think of running a container like running a virtual machine, without the overhead of spinning up an entire operating system,” Kromtech explains.
Kromtech lists tweets and comments on GitHub showing that some users noticed the malicious docker files with embedded cryptomining tools at least as far back as August 2017.
According to Kromtech, Docker Hub took down the offending account last month, about a week after Fortinet published its report. But it had been at least eight months since people first started reporting the malicious images.
The account was created in May 2017 and had stored 17 malicious container images that were “pulled” about 5 million times.
The files, once downloaded from Docker Hub by victims, will run scripts that give the attacker persistent access to the victim’s server, allowing them to run whatever code they want. In this case, the focus was on mining Monero using the victims’ computing power.
Kromtech says that a Monero wallet address linked to the attackers managed to collected upwards of 544 units of Monero, worth roughly $90,000.
While the images have now been removed from Docker Hub, they could potentially still be exploiting other servers of Docker Hub users that already accessed them.
Kromtech warns users to vet images before pulling them, given how easily hackers in this case were able to exploit victims.
“For ordinary users, just pulling a Docker image from the DockerHub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it,” Kromtech researchers write. “You need to ask yourself whether you’re able to monitor what’s going on inside a pod or container to determine if there is a potential exploit.”
In February, Tesla was revealed to have fallen victim to a cryptojacking scheme through Kubernetes, another tool used to configure containerized applications.