Upon analysis, the credentials can be seen in the aforementioned header X-Registry-Auth only because the client initiating the request to create a container on a target server had authenticated it to their DockerHub container registry.Īs a legitimate use case, a user might want to authenticate their DockerHub repository to create containers based on the images in their private repository. These are the DockerHub credentials of user “satoshiav0cad0”. In our analysis, we use DockerHub as an example. When you create a container, the container daemon looks up the image from the container registry by default. Many container registries such as DockerHub, Amazon Elastic Container Registry (ECR), and Alibaba Container Registry, to name a few, host container images. With the right authorization context, one can simply “pull” an image, create a container based on it, and deploy applications. Most importantly, Docker works with any platform.Ĭontainer registries are storage and distribution platforms for container images, similar to how codes or programs are hosted on repositories like GitHub. It’s simple to use and is favored by developers, as a user can write services and deploy applications at great speed. Of the two we identified here, the most interesting account for study was the alpineos account, which hosted malicious container images with over 150,000 pulls.ĭocker is a container services platform that helps developers follow a write-once-run-anywhere (WORA) practice. As a result, we found 26 unique DockerHub accounts that are either compromised or malicious. In July 2021, we published our research on TeamTNT’s malicious activities and found evidence of the group infiltrating via the Docker API.
These DockerHub profiles were actively used to deploy malicious images containing the following: Unless a user is not logged out manually, the header “X-Registry-Auth" stores the credentials. The threat actors were logged in to their accounts on the DockerHub registry and probably forgot to log out. The account alpineos was used in exploitation attempts on our honeypots three times, from mid-September to early October 2021, and we tracked the deployments’ IP addresses to their location in Germany. We have notified Docker about these accounts. Our honeypots showed threat actor TeamTNT were leaking credentials from at least two of their attacker-controlled DockerHub accounts, namely alpineos (with over 150,000 pulls) and sandeep078 (with 200 pulls). Upon analyzing the samples, we realized and were able to understand the threat actors’ use of container registry features for Docker malware and tactics, techniques, and procedures (TTPs). One of these honeypots is based on exposed Docker REST API for analysis from cloud services providers’ and users’ perspectives.
We constantly deploy and study our honeypots to get a view of actively exploited vulnerabilities and misconfigurations on platforms and services that pose cloud security risks.
0 kommentar(er)
