Backdoored images downloaded from DockerHub 5 million times https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/ https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers

Malware installed through DockerHub can also escape the container, so may continue to run.

Friends don't let friends install unreproducible black box container images.

@cwebber to be honest, the issues seem to come from open and unprotected kubernetes clusters.

So yeah, if you leave your orchestration tools wide open, attackers can execute code (docker images or not) on your infrastructure, it's not especially new, imho.

If you execute untrusted code, you can end up mining cryptocurrencies, it's not a docker specific issue ;)

@eliotberriot Leaving your orchestration tools wide open to attack should be difficult to accidentally do, but clearly that's not the case. Security ergonomics need to be a priority, whereas I think "get things up and running fast" is the priority in Docker-land. Admittedly that's been key to its wildfire-fast adoption... at serious costs.

We also need to get people out of the habit of believing that any non-reproducible deployment or binary system is safe to deploy.

@cwebber The beginning of the second article you shared describe pretty much that affected clusters where misconfigured or test clusters left open:

> Kubernetes clusters that were deployed for educational purposes or for tests with lack of security requirements represent a great threat for its owners. Even an experienced engineer could care less or even forget about that part of the infrastructure after tests.

@cwebber And the headline of one of the initial reports about this kind of stuff (https://blog.aquasec.com/cryptocurrency-miners-abusing-containers-anatomy-of-an-attempted-attack):

> This isn't a story about a Docker vulnerability; it's a story about how hackers are looking for unsecured Docker deployments where they can mine cryptocurrency. You shouldn't leave your Docker daemon unsecured any more than you would leave your mail server unsecured.

@eliotberriot The link you posted was to a different attack, though I agree has some similar properties.