With containers open for malware, app developers must keep a close eye on code

Hackers are just like us—they can’t resist a Container Store.

Application containers, that is: the lightweight components powering many an app’s microservices. The software units, which isolate functions and require few resources, are appealing to developers looking to build apps and attackers looking to carry malware.

A November report from the cloud-native threat-detection company Sysdig found that the free, public-facing container registry known as Docker Hub held many malicious executable container files, also known as images. The findings offer a reminder to IT pros: Shared code has its dangers.

“Containers themselves are highly valuable. The functions that they provide for the business, the ability to create that scalability and that growth, are critical. But, the use from an open-source perspective [and] the lack of diligence that we’re performing when we are pulling down a container is the risk,” said Bill Young, VP and general manager of threat management at the consultancy Optiv.

A quick container explainer.

• What a container is: Traditionally, applications are run on an operating system. A container has everything it needs to run: application code, dependencies, systems libraries, and settings. With a platform like Kubernetes or Docker Engine, the container can be run across computing environments, including private data centers, public clouds, and laptops.
• Gimme an analogy: “It’s almost [like] having these little mini virtual machines, but you can have dozens and dozens running on a host at a time,” said Michael Clark, director of threat research at Sysdig. Almost. A key difference between containers and VMs is that containers virtualize at the OS level, while VMs virtualize at the hardware level.
• Why you might need dozens: Let’s say an application processes credit cards. A container could perform a validation task for an individual transaction, destroy itself, then a new container could be initiated for the next card.

Sysdig researchers found that 1,652 of over 250,000 Linux images hosted on the Docker platform had nefarious content in their layers, ranging from cryptominers to embedded keys that enable hackers to run commandscredential stealers. The malicious images were disguised as known, popular open-source software—often a typo away from the desired component.

Codesharing, popular on platforms like GitHub, has spread to spaces like Docker Hub, as has malware—a dark result for a community-based resource.

“It’s a real pity in many ways, because a lot of these were resources that were great for developers to learn on and to do small scale experiments on…It’s been a big problem across the industry as a whole. It’s not container-specific,” said Justin Cormack, CTO at Docker.

In recent years, Docker has made security-focused changes in the face of attacks. Docker discontinued its automated-build option after cryptomining gangs targeted free cloud providers. The platform also has an Official Images program to help root out malicious fakers. A new version of Hardened Docker Desktop was released this October, with enhanced configuration and settings controls.

In addition to checking install scripts and monitoring containerized environments, Young said there’s an even more secure option with containers: Build them from scratch, to know for sure what’s in the box, and to take full advantage of the helpful components:

“They’re good, they provide a lot of value, but you have to have a proper process and proper due diligence around them to be using them effectively,” said Young.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected]