Tainted, crypto-mining containers pulled from Docker Hub – TechCrunch

Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.

“Of course, we can safely assume that these had not been deployed manually. In fact, the attack seems to be fully automated. Attackers have most probably developed a script to find misconfigured Docker and Kubernetes installations. Docker works as a client/server architecture, meaning the service can be fully managed remotely via the REST API,” wrote researcher David Maciejak.

The containers are now gone, but the hackers may have gotten away with up to $90,000 in cryptocurrency, a small but significant amount for such a hack.

“Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero,” said a writer of a report by Kromtech. “By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine 544.74 Monero, which is equal to $90,000.”

“As with public repositories like GitHub, Docker Hub is there for the service of the community. When dealing with open public repositories and open source code, we recommend that you follow a few best practices including: know the content author, scan images before running and use curated official images in Docker Hub and certified content in Docker Store whenever possible,” wrote Docker’s head of security David Lawrence in a Threatpost report.

Cool read from TC Source Link

Comments

Post a Comment

Popular posts from this blog

Google’s new Tour Creator lets students make their own VR tours – TechCrunch

Image
Google today launched a new tool for teachers and their students called Tour Creator, which allows anyone to create their own VR tour using imagery from Google’s Street View or their own 360-degree photos. The new app is designed to work with Google Cardboard and Google’s existing VR “field trips” app Expeditions . The goal with Expeditions is to let people virtually travel the world to see far off places they may never have the chance to visit in person – like Antarctica or Machu Picchu, for example. Google says that since Expeditions’ arrival in 2015, over three million students have virtually visited places around the globe. Now, the idea is to let students and teachers themselves build their own VR experiences and stories without needing technical knowledge. Instead, using Tour Creator, anyone can build an immersive 360-degree tour from their computer. To use the service, you click to get started, give the tour a name and upload a cover photo. You can then search through Go
Read more

Oval Money app launches its investment products for millennials – TechCrunch

Image
Back in April Oval Money launched with the idea of combining expense tracking, saving, and investing into one app, while also adding a social element by enabling its community of users to share tips and suggestions to one another. The idea is to to help users grow their savings in less time by teaching them to monitor spending habits and make saving virtually automatic. The company has raised €1.2M in funding, largely from Italian investors. The startup is to now launch a raft of investment products for socially-conscious savers. Beginning with three funds – supporting gender diversity in boardrooms, flexible working and the brands that millennials trust – the investments marketplace will be available to customers in the smartphone app this summer. The “Women at the Table” fund will allow investors to support companies that ensure that at least 20% of board members are women, while a “Belong but Work Remote” fund promotes the growing flexible jobs economy. “Generation Millennials
Read more

Duo Security researchers’ Twitter ‘bot or not’ study unearths crypto botnet – TechCrunch

Image
A team of researchers at Duo Security has unearthed a sophisticated botnet operating on Twitter — and being used to spread a cryptocurrency scam. The botnet was discovered during the course of a wider research project to create and publish a methodology for identifying Twitter account automation — to help support further research into bots and how they operate. The team used Twitter’s API and some standard data enrichment techniques to create a large data set of 88 million public Twitter accounts, comprising more than half a billion tweets. (Although they say they focused on the last 200 tweets per account for the study.) They then used classic machine learning methods to train a bot classifier, and later applied other tried and tested data science techniques to map and analyze the structure of botnets they’d uncovered. They’re open sourcing their documentation and data collection system in the hopes that other researchers will pick up the baton and run with it — such as, say, to
Read more