You are on the Cert-IST public site

Orange Alert CERT-IST/AL-2020.008 Attacks against F5 BIG-IP

In Brief: Attacks against Docker and Kubernetes

Date :June 08, 2018

Publication: Article

A series of attacks targeting Docker and Kubernetes (the orchestration tool developed by Google for Docker) was reported in June 2018. This event was reported in the press (see for example this article) mainly with reference to the fact that a series of malicious Docker images had been removed from Docker Hub.  But it is useful to describe how these attacks were probably performed to better understand this threat.

Docker Hub is the Cloud repository provided by Docker to store the images used to build Docker containers. It is the equivalent, in the Docker world, of what GitHub is for source code. It is typically used with the "docker pull" command: this command retrieves the image specified as argument from Docker Hub, and creates a corresponding container on the computer where the command was run. Docker Hub contains official images, but also images provided by other users. 

In the case of the malicious images attack, the hacker put on Docker Hub images that contained either a backdoor (opening a shell access on a predefined network port), or a crypto-miner (using CPU to generate crypto-money).  The first attack scenario that comes in mind is that unaware users might have used these images without knowing that they were malicious. But a most likely scenario is that the hacker himself was using these malicious images with the following tactic:

  • Search the Internet for poorly configured Docker or Kubernetes servers that allow remote access without any password. It's a big security breach, but apparently not uncommon on Internet.
  • Send to these servers, through its remote access API, a "Docker pull" command to create an additional container within the victim infrastructure. Of course, this additional container runs one of the malicious images previously placed on Docker Hub.

These poorly configured environments that have been attacked were probably mainly test environments, rather than production environments. But apparently, the attack has generated a 90 000 dollars gain for the attacker, in one year of activity!

For more information: report on this attack