Backdoored images downloaded from DockerHub 5 million times https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/ https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers
Malware installed through DockerHub can also escape the container, so may continue to run.
Friends don't let friends install unreproducible black box container images.
docker, not so hot take?
@eliotberriot Leaving your orchestration tools wide open to attack should be difficult to accidentally do, but clearly that's not the case. Security ergonomics need to be a priority, whereas I think "get things up and running fast" is the priority in Docker-land. Admittedly that's been key to its wildfire-fast adoption... at serious costs.
We also need to get people out of the habit of believing that any non-reproducible deployment or binary system is safe to deploy.
docker, not so hot take?
@cwebber The beginning of the second article you shared describe pretty much that affected clusters where misconfigured or test clusters left open:
> Kubernetes clusters that were deployed for educational purposes or for tests with lack of security requirements represent a great threat for its owners. Even an experienced engineer could care less or even forget about that part of the infrastructure after tests.
docker, not so hot take?
@cwebber And the headline of one of the initial reports about this kind of stuff (https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack):
> This isn't a story about a Docker vulnerability; it's a story about how hackers are looking for unsecured Docker deployments where they can mine cryptocurrency. You shouldn't leave your Docker daemon unsecured any more than you would leave your mail server unsecured.
docker, not so hot take?
@eliotberriot The link you posted was to a different attack, though I agree has some similar properties.
docker, not so hot take?
@eliotberriot At any rate, though I agree these images are probably more the deployment payload rather than the entry point vulnerability in this particular case, I think that was helped by a culture (and toolchain) of non-reproducibility on DockerHub. I'm sure there are plenty more of these, but how to know which has what? By being mostly impenetrable, so is the discovery of malware... and for that matter, vulnerabilities: http://delivery.acm.org/10.1145/3030000/3029832/p269-shu.pdf
docker, not so hot take?
@cwebber I think we're on the same page (docker image as the vector of the attack and not the root cause).
No for the non-reproducibility part, I really lack cultural background (I'm a pretty young dev, self-taught, so it does not help :/), but I think you are right
All of this is reminding me of https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
(I cannot read the link you posted, I get an error)
docker, not so hot take?
docker, not so hot take?
@cwebber as for security, installing the Docker daemon using the official package do not expose it to the outside world (which is needed for this attack to work)
It needs specific configuration to expose it. And if you do that, well, either you know or don't know what you're doing, and it's not the tool's fault ;)
@cwebber@octodon.social its convenient they say, it'll be fine they say, you're just being paranoid.
@cwebber Trying to explain supply chain attacks is not always the most successful conversation I can have
docker, not so hot take?
@cwebber to be honest, the issues seem to come from open and unprotected kubernetes clusters.
So yeah, if you leave your orchestration tools wide open, attackers can execute code (docker images or not) on your infrastructure, it's not especially new, imho.
If you execute untrusted code, you can end up mining cryptocurrencies, it's not a docker specific issue ;)