Docker Hub and Bitbucket Resources Hijacked for Crypto-Mining

Security researchers are warning of a resurgent campaign to hijack developer resources for cryptocurrency mining.

A team from Aqua Security explained that over the period of just four days, attackers set up 92 malicious Docker Hub registries and 92 Bitbucket repositories to abuse these resources.

“The adversaries create a continuous integration process that every hour initiates multiple auto-build processes, and on each build, a Monero cryptominer is executed,” said Aqua Security’s lead data analyst, Assaf Morag.

The kill chain is pretty straightforward. First, the attackers register multiple fake email accounts using a Russian provider. They then set up a Bitbucket account with several repositories. These use official documentation to appear legitimate.

They do a similar thing with Docker Hub, creating an account with several linked registries.

The images are built on Docker Hub/Bitbucket environments and subsequently hijack their resources to illegally mine cryptocurrency.

Morag concluded that developer environments like these are an increasingly popular target for cyber-criminals as they are often overlooked by security teams.

“This campaign shows the ever-growing sophistication of attacks targeting the cloud native stack. Bad actors are constantly evolving their techniques to hijack and exploit cloud compute resources for cryptocurrency mining,” he warned.

“As always, we recommend that such environments have strict access controls, authentication, and least-privilege enforcement, but also continuous monitoring and restrictions on outbound network connections to prevent both data theft and resource abuse.”

The discovery comes just a few months after Aqua Security spotted a similar campaign. In September last year, it detected a campaign targeting the automated build processes of Docker Hub and GitHub. The af ..

Support the originator by clicking the read the rest link below.