JFrog and Docker, Inc. today revealed that multiple large-scale malware campaigns, which injected malicious metadata into millions of repositories hosted on Docker Hub, have been underway since the first half of 2021.
Shachar Menashe, senior director of security research at JFrog, said approximately 2.8 million repositories have been compromised by malicious content. The issues range from simple spam that promotes pirated content to links to more lethal malware and phishing sites.
Docker Hub allows repository maintainers to add short descriptions and documentation in HTML format. These are displayed on the repository’s main page, intended to explain the purpose of the image and provide guidelines for usage.
The malicious content discovered by JFrog security researchers has already been removed by Docker, Inc.
Dangerous Malware
JFrog’s security research team discovered that about 4.6 million of the repositories in Docker Hub don’t have any container images at all. They have no content except for the repository’s documentation. Most of these imageless repositories were uploaded with the intent of enticing developers to visit phishing websites or websites that host dangerous malware, noted Menashe.
.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}
In the first wave of these campaigns, most URLs used pretend to use known URL shorteners. However, these malicious shorteners don’t actually encode the URL. Instead, they encode a file name and resolve a link to a different domain each time a malicious resource is shut down. Every subsequent request to the same shortened link brings a different URL, and if the server that’s hosting malicious files is shut down, the shortener returns a link to a new, active one.
According to JFrog researchers, nearly a million repositories created in the middle of 2021 essentially turned Docker Hub into a “pirated eBook library. These spam repositories all offered free eBook downloads containing randomly generated descriptions and URLs.
Starting in 2023, the malicious repositories no longer use direct links to malicious sources. Instead, to better evade detection they point to legitimate resources as redirects to malicious sources. Cybercriminals are also making use of a well-known open redirect flaw that allows them to redirect users to a malicious site with a legitimate Google link using specific request parameters. JFrog researchers are assuming those at these request parameters are likely copied and embedded into the software from an application programming interface (API) surfaced by a dubious advertising network that third parties pay for the distribution of executables.
As many as a thousand repositories were created daily over a three-year period, while at other times, only one repository was created per user.
The extent of the potential damage inflicted by these malware campaigns is difficult to assess. However, application development teams should assume all the content hosted on any publicly accessible repository is potentially compromised, said Menashe. This discovery is the latest in a series of cyberattacks that target software supply chains. In this case, the effort seems to be focused mainly on compromising developer credentials rather than directly injected malware into container applications.
However, given how long this campaign has been underway, no one knows for sure how those credentials might have been later used to compromise application development environments. The scope of the damage inflicted could easily go well beyond Docker Hub itself.
This post was originally published on the 3rd party site mentioned in the title of this this site