Docker Breach: The ultimate Trojan Horse

A new data breach at software development site Docker Hub highlights the latest twist in the battle for safe systems – sneaking malware into new computer programmes before they’ve even been shrink-wrapped.

On Friday Docker announced that a breach had exposed their user database — only briefly, but long enough to expose data for approximately 190,000 users. The company said that represents less than five percent of its user base.

Docker is a software system that lets developers run virtual computer operating systems to test how well new programmes work. The virtualisation happens in a controlled environment called a container, which holds all key software components like applications, libraries and configuration files. Containers are created from software images that specify their precise contents.

The breach reportedly exposed usernames and hashed passwords for Docker Hub, and access tokens for some users’ Github and Bitbucket accounts.

All three sites are places where new software is developed, stored, and shared with other developers for problem solving and collaboration. Hackers gaining access to software hosted on any of them would have a direct view into its workings and potentially insert malware into the underlying code.

The ultimate Trojan Horse

These kinds of Supply Chain Attacks have emerged as a serious issue in cybersecurity. Targeting software developers and suppliers, their objective is to access source codes, build processes, and mechanisms that deliver software updates to sneak malware into legitimate applications.

Attackers hunt for ways to break into network protocols, server infrastructures, and raw code where possible. They break in, change source codes, and hide malware in the compromised software.

Because the software is created by trusted vendors, infected apps are signed and certified safe. The vendors in software supply chain attacks are unaware that their apps or updates have been infected when they’re released to the public. The malicious code embedded within then runs on company systems with the same trust and permissions as the app itself.

Given the popularity of some applications the number of potential victims is significant. The rewards of a single infection to a widely-used piece software could net hundreds, thousands or even millions of victims. Compare that payday to the risk-reward ratio when breaking into a single corporate system. 

Other practical reasons why cyber criminals use supply chain attacks:

• They allow them to exploit a trusted channel to infiltrate well-protected organisations
• If an automatic update is compromised the number of infections can grow quickly
• Specific geographies or sectors can sometimes be targeted
• They enable targeting of isolated assets, such as those in industrial environments like manufacturing or utilities
• The use of trusted processes makes it harder to uncover infection or its source

Supply chain attacks first reared their head in March 2018 when Microsoft uncovered a widespread campaign to infect systems with a malware called Dofoil. The virus had been inserted into a BitTorrent file sharing client called MediaGet, by replacing a legimimae software update package with a malicious one.

Other campaigns have popped up since. Attackers used the same trick to deliver a cryptocurrency miner through a PDF editing application. It succeeded by compromising a software collaboration platform shared by the software vendor and one of its development partners. Supply chain attacks have also targeted web browser extensions, and WordPress plugins.

What can you do?

Advice for defending against this sort of attack is limited, and at the moment is weighted toward vendor claims about the effectiveness of different solutions in identifying adverse behaviour on the network.

That places it firmly in the one to watch category.

Docker is advising anyone affected by the breach to do the following:

• Change passwords on Docker Hub and any other accounts using the same password.
• Check for security actions on BitBucket and GitHub for any unexpected account access that may have occurred since Thursday.
• Users running automated software on Docker Hub builds may need to unlink and relink the relevant source files on GitHub and Bitlocker.

More general advice to fend off supply chain infections includes:

• Testing all new updates in sandboxed test environments to detect any suspicious behaviour.
• Monitor systems and traffic behaviour to help identify any odd or adverse patterns, enabling you to block suspicious applications before they can do damage
• Ask software vendors what steps they’ve taken to be able to detect any unwanted changes in their software development processes.
• Finally, make sure employees are able to identify the signs of unexpected behavior in the software systems they use every day.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.