**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 12:37

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 12:37

Christopher Lemmer Webber @cwebber

Jun 15, 2018, 12:37

Backdoored images downloaded from DockerHub 5 million times https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/ https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

Malware installed through DockerHub can also escape the container, so may continue to run.

Friends don't let friends install unreproducible black box container images.

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:44

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:44

Jun 15, 2018, 12:44

Eliot Berriot @eliotberriot@mastodon.eliotberriot.com

docker, not so hot take? Show more

@cwebber to be honest, the issues seem to come from open and unprotected kubernetes clusters.

So yeah, if you leave your orchestration tools wide open, attackers can execute code (docker images or not) on your infrastructure, it's not especially new, imho.

If you execute untrusted code, you can end up mining cryptocurrencies, it's not a docker specific issue ;)

**Christopher Lemmer Webber** @cwebber · 2018-06-15T12:50:58Z

Christopher Lemmer Webber @cwebber

docker, not so hot take? Show more

@eliotberriot Leaving your orchestration tools wide open to attack should be difficult to accidentally do, but clearly that's not the case. Security ergonomics need to be a priority, whereas I think "get things up and running fast" is the priority in Docker-land. Admittedly that's been key to its wildfire-fast adoption... at serious costs.

We also need to get people out of the habit of believing that any non-reproducible deployment or binary system is safe to deploy.

Jun 15, 2018, 12:50 · Web · 0 · 1

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:53

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:53

Jun 15, 2018, 12:53

Eliot Berriot @eliotberriot@mastodon.eliotberriot.com

docker, not so hot take? Show more

@cwebber The beginning of the second article you shared describe pretty much that affected clusters where misconfigured or test clusters left open:

> Kubernetes clusters that were deployed for educational purposes or for tests with lack of security requirements represent a great threat for its owners. Even an experienced engineer could care less or even forget about that part of the infrastructure after tests.

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:54

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:54

Jun 15, 2018, 12:54

Eliot Berriot @eliotberriot@mastodon.eliotberriot.com

docker, not so hot take? Show more

@cwebber And the headline of one of the initial reports about this kind of stuff (https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack):

> This isn't a story about a Docker vulnerability; it's a story about how hackers are looking for unsecured Docker deployments where they can mine cryptocurrency. You shouldn't leave your Docker daemon unsecured any more than you would leave your mail server unsecured.

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 13:36

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 13:36

Jun 15, 2018, 13:36

Christopher Lemmer Webber @cwebber

docker, not so hot take? Show more

@eliotberriot The link you posted was to a different attack, though I agree has some similar properties.

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 13:46

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 13:46

Jun 15, 2018, 13:46

Christopher Lemmer Webber @cwebber

docker, not so hot take? Show more

@eliotberriot At any rate, though I agree these images are probably more the deployment payload rather than the entry point vulnerability in this particular case, I think that was helped by a culture (and toolchain) of non-reproducibility on DockerHub. I'm sure there are plenty more of these, but how to know which has what? By being mostly impenetrable, so is the discovery of malware... and for that matter, vulnerabilities: http://delivery.acm.org/10.1145/3030000/3029832/p269-shu.pdf

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 14:23

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 14:23

Jun 15, 2018, 14:23

Eliot Berriot @eliotberriot@mastodon.eliotberriot.com

docker, not so hot take? Show more

@cwebber I think we're on the same page (docker image as the vector of the attack and not the root cause).

No for the non-reproducibility part, I really lack cultural background (I'm a pretty young dev, self-taught, so it does not help :/), but I think you are right

All of this is reminding me of https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

(I cannot read the link you posted, I get an error)

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 14:25

**Christopher Lemmer Webber** @cwebber · Jun 15, 2018, 14:25

Jun 15, 2018, 14:25

Christopher Lemmer Webber @cwebber

docker, not so hot take? Show more

@eliotberriot link at top of https://blog.acolyer.org/2017/04/03/a-study-of-security-vulnerabilities-on-docker-hub/

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:58

**Eliot Berriot** @eliotberriot@mastodon.eliotberriot.com · Jun 15, 2018, 12:58

Jun 15, 2018, 12:58

Eliot Berriot @eliotberriot@mastodon.eliotberriot.com

docker, not so hot take? Show more

@cwebber as for security, installing the Docker daemon using the official package do not expose it to the outside world (which is needed for this attack to work)

It needs specific configuration to expose it. And if you do that, well, either you know or don't know what you're doing, and it's not the tool's fault ;)