According to an official email sent to users, hackers gained access to Docker Hub, the official repository for Docker container images, “for a brief period.” However, during that “brief period,” approximately 190,000 user accounts were compromised, containing data such as usernames, hashed passwords, and Github and Bitbucket tokens for Docker autobuilds. At the time of this writing, Docker is still investigating the hack, so it is unclear how the hackers got into Docker Hub or just how “brief” their time inside the system was.

Whatever Docker’s investigation ultimately uncovers, the Docker Hub hack should be deeply concerning to everyone. As enterprises increasingly ditch on-prem infrastructure and virtual machines in favor of clouds and containers, cybercriminals are following — but container security hasn’t kept up.

Enterprises are implementing clouds, and containers, faster than they can secure them

At this juncture, no one disputes that the future is in cloud computing; even enterprises that are required by compliance mandates to run some workloads on-prem are implementing hybrid cloud infrastructures so that they can take advantage of some of the benefits of the cloud on-prem. The RightScale 2019 State of the Cloud Report found that 94% of enterprises use cloud computing, with 58% running hybrid clouds (up from only 51% the year before), and 85% running multi-cloud environments.

The popular DevOps philosophy, which (among other things) encourages enterprises to automate as many IT processes as possible, has fueled the race to the cloud. It’s also prompted organizations to shift from virtual machines to more lightweight, portable, and flexible containers. Docker containers are by far the most popular; the RightScale survey found that Docker adoption increased from 49% in 2018 to 57% in 2019. Kubernetes, a container orchestration system often used alongside Docker, is also seeing strong growth, nearly doubling in popularity between 2018 and 2019.

Organizations’ appetite for hybrid clouds, multi-clouds, and containers is so ravenous that Google centered its recent Next ’19 conference around the launch of Google Anthos, a hybrid/multi-cloud management platform built atop Google Kubernetes Engine.

Unfortunately, the Docker Hub hack may end up being the fly in the cloud container soup.

Cloud container security lagging behind implementation

While organizations certainly reap a world of benefits by migrating to the cloud and using containers instead of VM’s, cloud security is quite different from the on-prem security many enterprise personnel are accustomed to. Because of all their moving parts, hybrid and multi-cloud environments are notoriously difficult to secure. Respondents to the RightScale survey reported that their organizations are implementing cloud strategies faster than they can keep up.

Cybersecurity professionals are also fretting about container security. Sixty percent of respondents to a Tripwire survey reported that their organizations experienced at least one container security incident in the past year, and a whopping 94% are concerned about container security in their organizations.

Docker Hub hack could have far-reaching implications

Even though the Docker Hub hack appears to have impacted only about 5% of the company’s customer base, the potential implications are far-reaching. Many very large companies, including software development companies and other IT service providers, use Docker containers. The stolen Github and Bitbucket tokens can be used to access those companies’ private code repositories and inject malware into critical software auto-built by Docker, setting the stage for multiple hacks of the original target company and possibly their customers.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.