Attackers Planted Millions of Imageless Repositories on Docker Hub

Docker has removed nearly 3 million public repositories from Docker Hub after researchers discovered each one to be imageless and have no content besides an accompanying apparent description page that contained links to malicious content instead.

Researchers from JFrog spotted the threat in a recent investigation and identified the containers as being used in three large-scale campaigns to distribute spam and malware. Docker has since instituted a new mechanism that prevents links to external resources in the description pages of imageless repositories.

More Moderation Needed?

"Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub's platform credibility, making it more difficult to identity the phishing and malware installation attempts," JFrog said in an April 30 report. "Almost 3 million malicious repositories, some of them active for over three years, highlight the attackers' continued misuse of the Docker Hub platform and the need for constant moderation on such platforms."

JFrog found that some 4.6 million imageless repositories were published on Docker Hub over a five-year period. Of that, nearly all of them had associated metadata that was malicious in nature. JFrog researchers counted a total of 208,739 fake accounts that the attackers used to upload the malicious repositories.

According to JFrog, what enabled the threat actors is a Docker policy that allows users to include short text descriptions and metadata in HTML format, along with any container images that they publish to Docker Hub. The purpose in allowing these descriptions is to enable users to search for and find images on the cloud-based registry service that they might find useful for their projects. The feature allowed threat actors to upload imageless containers and to relatively easily include description pages that had embedded links to spam, phishing, and malware sites.

The mass uploads happened in two distinct waves — one in 2021 and the other in 2023. JFrog researchers were able to tie many of the 2021 repository uploads to a campaign to get users to download pirated content and cheats for video games. Most of the URLs in the campaign resolved to sites for malicious file downloads. If a server hosting malicious files was shut down or became otherwise unavailable, the links resolved to a different active server. Another mass upload in 2021 involved a free e-book phishing campaign that appeared designed to steal credit card information.

The 2023 uploads to Docker Hub were a repeat of the 2021 campaign involving pirated content and video game cheats. But instead of the repositories directly pointing to malicious sources, JFrog found them pointing to legitimate resources that quickly redirected victims to a malicious source. One page on blogger.com, for instance, took all of 500 milliseconds to redirect visitors to the malicious payload.

JFrog also uncovered a third campaign that involved a threat actor uploading 1,000 repositories to Docker Hub daily for three years. While the content in the associated documentation appeared harmless, the motive was clearly malicious, JFrog said. The company surmised the threat actor might have been carrying out some kind of a stress testing before launching a malicious campaign.

Taking Advantage of a Policy Loophole

Brian Moussalli, malware research team leader at JFrog, says the threat actors were able to carry out the attacks due to the lack of a policy in place that could have prevented it. "After we disclosed the attacks to Docker Hub, they implemented a protection mechanism that blocks embedding links to external resources in the description pages of imageless repositories," he says.

It's hard to tell how effective the malicious campaigns really were, Moussalli says. But it's likely the attackers used a legitimate site like Docker Hub to host pages containing links to malicious files, so users searching for pirated content, video game cheats, and free e-books wouldn't get suspicious. "Another option could be that they used Docker Hub for legitimacy but spread the links to those pages via direct messages to victims," Moussalli says. "Unfortunately, we're unable to determine how exactly victims were manipulated into clicking those links."

Docker can make things harder for threat actors by implementing restriction on mass creation of accounts, alongside enforcing new rules on repository creation, he says. For example, it could prohibit creation of imageless repositories or not allow new users to embed external links for some time after creation of the account or the repository.