A single person or group may have made as much as $90,000 over 10 months by spreading 17 malicious images that were downloaded more than 5 million times from Docker Hub, researchers said Wednesday. The repository finally removed the submissions in May, more than eight months after receiving the first complaint.
Docker images are packages that typically include a pre-configured application running on top of an operating system. By downloading them from Docker Hub, administrators can save huge amounts of set-up time. Last July and August one or more people used the Docker Hub account docker123321 to upload three publicly available images that contained surreptitious code for mining cryptocurrencies. In September, a GitHub user complained one of the images contained a backdoor.
Eight months of inaction
Neither the Docker Hub account nor the malicious images it submitted were taken down. Over the the coming months, the account went on to submit 14 more malicious images. The submissions were publicly called out two more times, once in January by security firm Sysdig and again in May by security company Fortinet. Eight days after last month’s report, Docker Hub finally removed the images. The following image, provided by security firm Kromtech, shows the chronology of the campaign.