In September 2020, Aqua’s Team Nautilus detected a campaign that targeted the automated build processes of GitHub and Docker Hub. At that time we notified the affected services and they blocked the attack. Now, this campaign has resurfaced with vengeance. In just four days, the attackers set up 92 malicious Docker Hub registries and 92 Bitbucket repositories to abuse these resources for cryptocurrency mining.
As in our threat research activity we regularly scan images on Docker Hub using Aqua Dynamic Threat Analysis (DTA), we were able to detect and investigate this attack in real time. The adversaries create a continuous integration process that every hour initiates multiple auto-build processes, and on each build, a Monero cryptominer is executed. In this blog, I will examine the attack kill chain and analyze what’s going on behind the scenes.
Step 1: Creating email accounts
The adversaries created several fake email accounts using a free Russian email service provider (for instance vuk[.]popovicm[@]inbox[.]ru).
Step 2: Setting up a Bitbucket account
Then, they set up a Bitbucket account with a few repositories. To evade detection, each of them was masquerading as a benign project using the official project documentation.
Step 3: Creating a Docker Hub account
The adversaries also created a Docker Hub account with several registries. Each registry was masquerading as a benign registry using its documentation to evade detection.
The images are built on these service providers’ environments and then hijack their resources in order to mine cryptocurrency. This mechanism is reflected in the Dockerfile below:
When pulling and running the image it fails, since the CMD is instructing to run a JSON file with bash command.
This campaign shows the ever-growing sophistication of attacks targeting the cloud native stack. Bad actors are constantly evolving their techniques to hijack and exploit cloud compute resources for cryptocurrency mining. It also reminds us that developer environments in the cloud represent a lucrative target for attackers as usually they are not getting the same level of security scrutiny.
As always, we recommend that such environments have strict access controls, authentication, and least-privilege enforcement, but also continuous monitoring and restrictions on outbound network connections to prevent both data theft and resource abuse.
March 8th update: Prior to the publication of this blog we updated the security team of Atlassian, the parent company of Bitbucket. They updated us that they have ensured that all the necessary response actions concerning accounts and repositories identified in the campaign have been executed and also confirmed that there was no impact on Atlassian service or customers as cryptominers were mostly targeting third party CI/CD providers.
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads, wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.