Analysis of more than four million containers showcases serious risk to enterprises who have adopted Docker to build and share applications
Tampa, FL and Sydney, Australia - December 2, 2020 - Prevasio, developers of next-generation dynamic threat analysis for Docker containers, today announced the completion of the first and only comprehensive security scan of the entire Docker Hub, encompassing more than four million public container images. Dubbed “Operation Red Kangaroo” by the company, the scan was completed using Prevasio’s Analyzer, the company’s innovative sandboxing and behavioral analysis system for Docker containers. The results show that Docker containers present a potentially serious risk to enterprise customers implementing container technology without adequate security protocols in place.
“With thousands of malicious or potentially harmful containers found by Prevasio, Docker Hub is not as resilient to attacks as previously thought,” says Rony Moshkovich, CEO of Prevasio. “While most of the reported containers contain cryptocurrency miners, there are also a fair amount of ‘trojanized’ images of popular platforms, such as WordPress, Apache Tomcat, or Jenkins. Enterprises that have embraced Docker must be aware of these threats in order to protect their organizations and data.”
Prevasio’s analysis ran across the entire Docker Hub and found:
- 51 percent of all containers had “critical” vulnerabilities, while 13 percent were classified as “high” and four percent as “moderate” vulnerabilities.
- Six thousand containers were riddled with cryptominers, hacking tools/pen testing frameworks, and backdoor trojans. While many cryptominers and hacking tools may not be malicious per se, they present a potentially unwanted issue to an enterprise.
- More than 400 examples (with nearly 600,000 pulls) of weaponized Windows malware crossing over into the world of Linux. This crossover is directly due to the proliferation of cross-platform code (e.g. GoLang, .NET Core and PowerShell Core).
“Docker adoption has become a standard for enterprise-class complex applications in the corporate world, with the majority of large enterprises implementing Docker containers in some form,” says Alex Eckelberry, a security expert and advisor to Prevasio. “With containerization now ubiquitous, the attack surface has increased exponentially, and the results of this analysis should be of concern to any enterprise customer.”
A full white paper illustrating in detail how the analysis was conducted and full results can be viewed at https://prevasio.com/red-kangaroo.
Methodology
The Prevasio Analyzer™ dynamically analyzed all available public container images hosted at the Docker Hub. The Analyzer ‘detonated’ each container inside of a dedicated virtual environment, capturing its behavior. The system was executed non-stop for one month on 800 machines running in parallel.
About the Prevasio Analyzer
Prevasio Analyzer is the only sandboxing and behavioral analysis system for Docker containers. The Analyzer performs a smart detection of the tech stack and then attacks it with an automated full-scale penetration test that conforms to the cyber kill chain. The test consists of highly-tailored attacks that target the services running inside the analyzed container with surgical precision. Prevasio carries out these operations in an isolated environment hosted outside the customer's infrastructure for a risk-free SaaS experience.
Prevasio Analyzer also uses a proprietary Machine Learning (ML) classifier to distinguish malicious Linux executables within a container. As a result, Prevasio Analyzer is resistant to code modification techniques often employed by attackers to fly under the radar of signature-based detectors used by all existing container security vendors.
Prevasio lifts the bar by providing a visual graph of all system events within a container. It understands the relationship between them, exposing events so the customers can effortlessly see and understand the risks.
About Prevasio
Prevasio (www.prevasio.com) was founded in 2020 by a group of dedicated DevOps and threat research experts. The company aims to bridge the gap between DevSecOps and threat research, allowing IT professionals to look at containers from a vastly different perspective - through attackers’ eyes.
