In a recent investigation, researchers from JFrog uncovered a significant security threat on Docker Hub, prompting the removal of nearly 3 million public repositories.
These repositories lacked actual content, containing only seemingly innocuous description pages that included links to malicious content, such as spam and malware.
Intention of Attackers
The threat, identified in April, involved exploiting Docker Hub’s platform credibility to distribute harmful content on a large scale.
JFrog researchers highlighted the sophisticated nature of the attacks, which made detecting phishing and malware attempts targeting developers and organizations challenging.
JFrog’s Docker Hub Research
Over a five-year period, JFrog discovered approximately 4.6 million imageless repositories on Docker Hub, with the vast majority containing malicious metadata.
The attackers behind the campaign utilized over 200,000 fake accounts to upload these repositories, exploiting Docker’s policy that allows users to include HTML-formatted text descriptions and metadata.
The mass uploads occurred in two distinct waves, one in 2021 and another in 2023. In the 2021 campaign, repositories were used to distribute pirated content, cheats for video games, and phishing attempts to steal credit card information. The 2023 uploads mirrored the previous campaign but employed redirection techniques to lead victims to malicious sources, often through legitimate platforms like blogger.com.
Additionally, JFrog revealed a long-term campaign that involved uploading 1,000 repositories daily for three years. Although the relevant documents appear to be innocuous, the motive is undoubtedly malicious and indicates potential preparations for future malicious activity.
Brian Moussalli, malware research team leader at JFrog, emphasized the necessity for stricter policies on Docker Hub to prevent such attacks. Following JFrog’s disclosure, Docker implemented measures to block embedding links to external resources in the description pages of imageless repositories. However, Moussalli suggested additional steps, such as restricting mass creation of accounts and enforcing rules on repository creation, to further thwart threat actors’ activities.
Check out more articles about cyber security.
