Painless Docker - 2nd Edition

Poisoned Images

It's possible to inadvertently download and run a Docker image containing malware. These malicious images can perform various hostile activities, such as scanning your network for sensitive data, downloading payloads from a remote host, executing harmful commands, or engaging in cryptojacking. If you deploy an attacker's poisoned image, they may also gain unauthorized access to your data.

In 2019, Unit 42 researchers discovered the first-ever cryptojacking worm on Docker Hub. The worm, dubbed Graboid, was hidden in a Docker image that was downloaded over 10,000 times. It was designed to spread to other containers and mine the Monero cryptocurrency.

Graboid exploited unsecured Docker API endpoints to propagate itself. Here's how the attack worked:

1. Initial Compromise: The attacker identifies an unsecured Docker host (one with an exposed Docker API socket) and remotely commands it to download and deploy the malicious Docker image pocosow/centos:7.6.1810. This image contains the Docker client tool necessary to communicate with other Docker hosts.

2. Payload Execution: The container's entry point script, located at /var/sbin/bash (a non-standard path created by the malware), downloads four shell scripts from a Command and Control (C2) server. It executes them in the following sequence:

   • live.sh: Sends the number of available CPUs on the compromised host back to the C2 server to assess mining potential.
   • worm.sh