A revelation by cybersecurity experts has unveiled a series of orchestrated assaults on Docker Hub, spanning a five-year duration, characterized by the proliferation of millions of deceitful “imageless” containers. This resurgence accentuates the susceptibility of open-source registries to supply chain incursions.
According to Andrey Polkovnichenko, a security researcher at JFrog, the findings indicate that over four million repositories on Docker Hub lack images and solely consist of repository documentation. However, this documentation serves as a veiled gateway to malicious endeavors, enticing unsuspecting users towards phishing or malware-infested websites.
Among the staggering 4.79 million imageless repositories identified, approximately 3.2 million have been instrumentalized as landing points, redirecting users to fraudulent destinations across three overarching campaigns:
- Downloader Campaign: Spanning from the first half of 2021 to September 2023, this campaign entices users with promises of pirated content or gaming cheats. However, upon interaction, users are either directed to malicious sources or legitimate platforms harboring JavaScript code that promptly redirects to malevolent payloads.
- E-book Phishing: Initiated in mid-2021, this campaign preys on users searching for e-books, redirecting them to a website (“rd.lesac.ru”) where they are prompted to divulge financial details in exchange for downloading the desired e-book.
- Website Cluster: Occurring from April 2021 to October 2023, this campaign encompasses thousands of repositories daily, some of which link to an online diary-hosting service named Penzu.
The payload of the downloader campaign is engineered to establish communication with a command-and-control (C2) server, transmitting system metadata before receiving a link to cracked software from the server.
In contrast, the motives behind the website cluster remain ambiguous, further complicated by the dissemination of the campaign across platforms with lenient content moderation policies.
Shachar Menashe, JFrog’s senior director of security research, highlighted the daunting challenge posed by these campaigns, emphasizing the limited avenues available for user protection, aside from exercising vigilance.
Menashe cautioned against complacency, stressing the inevitability of malware developers exploiting vulnerabilities, as evidenced by the XZ Utils compromise. He urged developers to exercise prudence when sourcing packages from open-source ecosystems, given the pervasive nature of such threats.
In essence, the revelation underscores the imperative for heightened vigilance and stringent security measures to counteract the malevolent exploitation of open-source repositories, ensuring the integrity and safety of digital ecosystems.
