Security researchers at Palo Alto Networks Inc. today detailed a malicious Docker Hub account that was hosting six malicious images used to mine Monero cryptocurrency.

The malicious account is believed to have been active since October 2019. The code used in the malicious images was designed to evade network detection by using network anonymizing tools such as ProxyChains and Tor.

An odd bad actor here or there may not be that newsworthy, but where this differs is that the researchers estimate that the images hosted on the account had been collectively pulled more than 2 million times. By comparison, legitimate Azure related images under the official Microsoft Docker Hub account have anywhere from a few thousand to hundreds of millions of pulls.

One of the wallet IDs identified in the malicious images was found to have raised around $36,000 with activity ongoing. The attackers used two different methods to mine Monero in the malicious images. In one method the code was designed to directly submit mined blocks to the central minexmr pool using a wallet ID. The second method used a hosting service where those behind the images used their own mining pool.

After being informed of the malicious images, the Docker security team pulled the images and canceled the account being used.

Wei Lien Dang, co-founder and chief strategy officer at container security firm StackRox Inc. told SiliconANGLE that software coding today very frequently includes using images that are made available in public registries such as Docker Hub, which makes uploading compromised images a clear attack vector.

“We’ve seen numerous examples of attackers successfully planting cryptominers in public Docker images,” Dang said. “Fundamentally, organizations must take care in the registries their users access for downloading images and the images that are allowed to be used to launch containers. Standard advice includes using private trusted registries and allowing only vetted images to be employed.”

Image: Kyohei Ito/Flickr