Cloud Security Attack and Defense (6) Mirror Poisoning
With the popularity of container technology, container images have also become a very important part of the software supply chain. Just like using tools such as pip to obtain various programming software libraries from warehouses, people can pull images from Docker Hub or third-party warehouses, develop on the basis of them, so as to achieve the required functions, and finally package and release
However, there may be problems with the basic image that the business relies on—whether it is a security hole accidentally caused by the developer or a malicious code deliberately buried by the attacker. The potential harm of this "endogenous risk" is much more serious than that of hackers launching an attack from the outside , and are less likely to be detected.
Let's introduce a container software supply chain attack: Image poisoning
mirror poisoning
Mirror poisoning is a broad topic. It refers to the attackers deceiving, Induces the victim to use the malicious image specified by the attacker to create and run the container, so as to achieve intrusion or use the victim's host for malicious activities
According to different purposes, there are three common types of image poisoning: malicious mining images, malicious backdoor images, and malicious exploit images
Launch a malicious mining image
This kind of poisoning behavior is mainly to deceive victims to deploy containers on the machine to obtain economic benefits. In fact, some researchers have discovered malicious mining image distribution behavior based on Docker Hub. In June 2018, a research report pointed out that an account named docker123321 uploaded 17 malicious images containing mining codes to Docker Hub. As of the official removal of these images from Docker Hub, they have been downloaded more than 5 million times. This also shows that people are not vigilant enough about unofficial warehouses or container images of unknown origin. According to statistics, hackers have obtained Monero worth about $90,000 through this behavior.
Launch malicious backdoor images
This poisoning behavior is mainly to achieve control of the container. Usually, after the victim deploys the container on the machine, the attacker will receive the shell bounced by the container. In contrast, this type of poisoning may be less, because when the isolation is effective, even if the attacker takes To a shell inside a container, the attack surface is still limited. Of course, the attacker may also use this shell to deploy some mining programs inside the container to gain benefits.
Drop a malicious exploit image
This poisoning behavior is to try to exploit various vulnerabilities on the host machine to achieve container escape and other purposes after the container is deployed, so as to achieve stronger control over the victim machine. With the popularization of containers and cloud-native technologies, more and more related security vulnerabilities will be exposed, so this kind of image poisoning will definitely become more and more common. From the perspective of offense and defense, malicious exploit mirroring is a delivery method of attack load, which is characterized by concealment and possible huge impact range. Just imagine, if a popular image on Docker Hub contains a certain Nday or 0day exploit program, in theory, the attacker may gain control of millions of computers at once (quite outrageous)
Summarize
Whether in the real world or the virtual world, the problems and hidden dangers buried in the software supply chain are often very harmful. It's like the upstream water is polluted, and the drinking water for people downstream can no longer be used. Also in the IT industry, if there is a security problem in the software supply chain, even if the defense system is impenetrable, its final effect will be greatly reduced