Dead Ducky,可怜我就把我买走 穿上弹簧鞋,我身轻如燕 DV玩具 视效工作站 内游戏新局面 爱学习才是好孩子 我们生活在点阵的世界里 Roboraptor机器人(龙?) 电子手镯 - 韩国为屡犯法者创新的新枷锁 树冰箱 手握式消毒器 搞怪的创意头盔 Wet Lamp水灯 防止打鼾的玩意 花六年时间手工制作的全关节金属小人 带着光芒的玩具鸭 EleeNo Bingo 手表 疯狂的碎钞机闹钟 太阳能帐篷 可爱的甲壳虫沙发 未来办公桌 老电视靠枕 创意健身椅 跷跷板书架 可变换外墙的房屋 方便的童椅 炸弹花瓶 一体化厨房 创意衣柜 手动食品加工机 DIY家电沙发 卷纸椅 农场小屋 折叠婴儿床 人体家具 长椅 木结构公共遮阳广场 抱枕遥控器 脊柱书架 天然度假别墅 夹层沙发 小巧太阳能戏院 带摄像头的折叠台灯 移动卧室家具套装 木制装饰导航灯 竹子餐厅 糖果杯 超大iPhone显示屏 渐变的桌腿 另类的桌子
漂流瓶终于彻底拜拜 微信7.0.4新版体验
微信漂流瓶被玩坏了 聊聊漂流瓶里那些事
微信关闭漂流瓶 它曾经满足了我们对世界的好奇
微信暂停漂流瓶功能:对色情内容零容忍
[视频]惠普Chromebook x360 14 G1评测:搭载Chrome OS的商务变形本
特斯拉:北京客户可三年免息融资购车并免费租赁车牌
借贷宝:停止催收百名裸条女大学生 未满23岁将不得借贷
京东白条多地频现盗刷 消费者遭催收公司“逼债”
借款野蛮催收行为将被规范 真是几家欢喜几家愁
为规范网贷催收 上海互金协会发行业倡议书
腾讯解释为什么微信没有夜间模式 真相你相信吗?
一张发行8年的微信唱片:只收录了4首歌曲


漂流瓶终于彻底拜拜 微信7.0.4新版体验
微信漂流瓶被玩坏了 聊聊漂流瓶里那些事
微信关闭漂流瓶 它曾经满足了我们对世界的好奇
微信暂停漂流瓶功能:对色情内容零容忍
[视频]惠普Chromebook x360 14 G1评测:搭载Chrome OS的商务变形本
特斯拉:北京客户可三年免息融资购车并免费租赁车牌
借贷宝:停止催收百名裸条女大学生 未满23岁将不得借贷
京东白条多地频现盗刷 消费者遭催收公司“逼债”
借款野蛮催收行为将被规范 真是几家欢喜几家愁
为规范网贷催收 上海互金协会发行业倡议书
腾讯解释为什么微信没有夜间模式 真相你相信吗?
一张发行8年的微信唱片:只收录了4首歌曲


Tainted, crypto-mining containers pulled from Docker Hub
从DOCKER集线器中提取污染的加密采矿容器

当前位置: 艾金森 > 门户 > 新闻

点击量 13
编辑: 1   作者: Techcrunch   时间: 2018/10/30 23:57:31  

Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.

"Of course, we can safely assume that these had not been deployed manually. In fact, the attack seems to be fully automated. Attackers have most probably developed a script to find misconfigured Docker and Kubernetes installations. Docker works as a client/server architecture, meaning the service can be fully managed remotely via the REST API," wrote researcher David Maciejak.

The containers are now gone, but the hackers may have gotten away with up to $90,000 in cryptocurrency, a small but significant amount for such a hack.

"Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero," said a writer of a report by Kromtech. "By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine 544.74 Monero, which is equal to $90,000."

“As with public repositories like GitHub, Docker Hub is there for the service of the community. When dealing with open public repositories and open source code, we recommend that you follow a few best practices including: know the content author, scan images before running and use curated official images in Docker Hub and certified content in Docker Store whenever possible," wrote Docker's head of security David Lawrence in a Threatpost report.

Interestingly, of late hackers have moved from attacking AWS Elastic Compute servers on Amazon's platform to Docker and other container-based systems. While there are security systems available to manage Docker and Kubernetes containers, users should remain vigilant and assess their vulnerabilities before hackers get more of an upper hand.