@cwebber The beginning of the second article you shared describe pretty much that affected clusters where misconfigured or test clusters left open:

> Kubernetes clusters that were deployed for educational purposes or for tests with lack of security requirements represent a great threat for its owners. Even an experienced engineer could care less or even forget about that part of the infrastructure after tests.

@cwebber And the headline of one of the initial reports about this kind of stuff (https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack):

> This isn't a story about a Docker vulnerability; it's a story about how hackers are looking for unsecured Docker deployments where they can mine cryptocurrency. You shouldn't leave your Docker daemon unsecured any more than you would leave your mail server unsecured.

@eliotberriot The link you posted was to a different attack, though I agree has some similar properties.

@eliotberriot At any rate, though I agree these images are probably more the deployment payload rather than the entry point vulnerability in this particular case, I think that was helped by a culture (and toolchain) of non-reproducibility on DockerHub. I'm sure there are plenty more of these, but how to know which has what? By being mostly impenetrable, so is the discovery of malware... and for that matter, vulnerabilities: http://delivery.acm.org/10.1145/3030000/3029832/p269-shu.pdf

@cwebber I think we're on the same page (docker image as the vector of the attack and not the root cause).

No for the non-reproducibility part, I really lack cultural background (I'm a pretty young dev, self-taught, so it does not help :/), but I think you are right

All of this is reminding me of https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

(I cannot read the link you posted, I get an error)

@eliotberriot link at top of https://blog.acolyer.org/2017/04/03/a-study-of-security-vulnerabilities-on-docker-hub/

@cwebber as for security, installing the Docker daemon using the official package do not expose it to the outside world (which is needed for this attack to work)

It needs specific configuration to expose it. And if you do that, well, either you know or don't know what you're doing, and it's not the tool's fault ;)