Docker Image – a Rising Threat Vector?

In a previous post of our DevSecOps blog series, we talked about the potential of malware existing in source code and build artifacts, and how teams can secure their software build pipeline using MetaDefender for Jenkins. Continuing the theme of DevOps security in this blog, I will demonstrate how to use MetaDefender for Jenkins to detect malware and vulnerabilities in Docker images.

Container Infrastructures: Expanding Surface for Supply Chain Attacks

Micro-services and containers have seen tremendous growth. Thanks to its lightweight and fast-to-deploy nature, container technology will only continue to expand in the future. However, containers also house outdated and vulnerable software more often than not. Bad actors have leveraged this auto-build platform to create supply chain attack campaigns, putting the target organizations and their associated parties at risk.

An analysis of 4 million public images on Docker Hub revealed the out-of-sight risks in containers. Half of these images (51%) contained at least one critical vulnerability and 13% had high-severity vulnerabilities. More than 6,400 images were considered malicious as they contain cryptocurrency miners, malicious Node Package Manager (NPM) packages, hacking tools, and malware.

In another event, attackers used Docker images for cryptomining. Five malicious images were pulled more than 120,000 times in 2021. The campaign involved typosquatting — an obfuscation technique that uses misspelled or misleading titles such as “openjdk” and “golang” in place of the official “OpenJDK” and “Golang” images in Docker Hub. The intention was to gull the victim into triggering the binary xmrig — a Monero cryptominer that can be abused to hijack organizations’ resources.

Docker is one of the most popular containerization platforms adopted by 7 million users, with 7 million repositories and 242 billion pulls created in 2020. It's high time that organizations seriously considered protecting container infrastructures as one of their cybersecurity best practices.

Overcoming Risks in Docker Images

The best approach to avoiding accidental pulls of illegitimate images is to adopt the zero-trust security model. All files must be assumed as potential risks and thoroughly scanned to detect threats in the first place.

One way to do so is through a vulnerability scanning tool such as the native Docker Scan or a similar alternative. But if you don’t have such solutions available, you can save your Docker image as an archive file, then send it to an analyzer service.

Another easy method is to scan your Docker images with the MetaDefender for Jenkins plugin.

Detect Malware and Vulnerabilities with MetaDefender for Jenkins

As a first step, I created a build scan configuration with a command line build step as below. The build would check out a Docker image and save it as a TAR file. For demonstration purposes, I used a Docker image that contained an EICAR file.

Next, I added a build step to scan the saved image with MetaDefender Core, then I started the build.

As soon as the build was complete, MetaDefender detected malware in the Docker image.

I clicked on the URL to view the detailed results in MetaDefender Core.

See this video for the full demonstration: 

About OPSWAT MetaDefender for Jenkins

OPSWAT MetaDefender for Jenkins helps organizations secure their Software Development Life Cycle (SDLC). The plugin checks your builds for malware and secrets before releasing the application to the public to prevent attacks on software supply chains. MetaDefender for Jenkins is powered by the full capabilities of the MetaDefender platform — including Metascan, Deep CDR, Proactive DLP, and Vulnerability Assessment — to scan all source code, artifacts, and dependencies for threats and vulnerabilities. Learn more about MetaDefender for Jenkins and other OPSWAT free tools.

For more information, please contact our cybersecurity experts.