"Containers: The Ultimate Trojan Horse"
Containers are designed to be unchangeable. Once created, the image is permanent, and all container instances spawned from it will be identical. Furthermore, because the container is defined as code, its contents, intents, and dependencies are all explicit. As a result, if used correctly, containers can help reduce supply chain risks. However, attackers have taken note of these advantages, as many threat actors are using containers to deploy malicious payloads and even scale up their operations. The Sysdig Threat Research Team (Sysdig TRT) investigated what is truly lurking in publicly available containers for the Sysdig 2022 Cloud-Native Threat Report. Docker Hub houses millions of pre-made container images in convenient, self-contained packages that include all required software. Public registries also host official content and images signed by Verified Publishers, providing some trust that they are not malicious and can be safely used. While public registries save developers time, if a user is not cautious, the container they pull may contain malicious elements. Threat actors value how much friction this technology eliminates from developer workflows. They rely on the fact that many developers may not thoroughly examine what is installed. According to the Sysdig threat report, malicious actors are using Docker Hub to deliver malware, backdoors, and more to users and businesses. One practice to be aware of is typosquatting, which occurs when an image is disguised as legitimate while concealing something malicious within its layers. Its name could be a misspelling, or the attacker could rely on a developer negligently copying some instructions containing the bad path. Over the course of several months, the Sysdig TRT examined over 250,000 Linux images. During the analysis, 1,777 images were discovered to contain various types of malicious IPs or domains, as well as embedded credentials. This article continues to discuss key findings from the Sysdig 2022 Cloud-Native Threat Report.