You’ve probably already read about the compromise of Docker Hub leading to the loss of 190,000 credentials. We’ve had customers ask about what this means and what they should think about. So, a few points to consider:
There is no impact to Twistlock – even if you install Twistlock from the internet, you’re pulling from our dedicated, self managed registry, completely separate from Docker Hub.
There could be quite a broad impact from this attack – but it’s too early to know at this point. Access to a Hub account means read / write access to repos that anyone on the internet can easily reuse with a simple docker pull myrepo/myimage. We don’t yet know which specific accounts were compromised or what (if anything) the attackers did once they gained access to them. However, it’s both a possible and realistic scenario that an attacker may have quietly poisoned images in them, embedding malware that they hope propagates elsewhere as others on the internet pull from these repos. Depending on their popularity, this may result in a huge ripple effect or little at all. There’s no way to know without more details.
Change your password, now. Better yet, have software generate and manage a strong one as described below.
Review any changes to any images in your accounts – if anything looks suspicious (e.g. pushes that you don’t recall making) remove it.
Credential compromise is one of the most salient threats most individuals and organizations face every day. There’s literally nothing more effective you can do than to use unique passwords for each service you interact with. Obviously, it’s not possible for a human to remember hundreds of good passphrases, so remember one good one, use a password manager, and use app based (not text message based) multi-factor authentication to it and everything else you can. There are a variety of good password manager options, some I can recommend from personal experience:
LastPass – Excellent user experience, especially for families where credential sharing is made easy.
KeePass – A great option for sharing administrative credentials if you’re mostly a Windows shop, particularly powerful when using the binary distribution and storing on a secure file share to facilitate simple sharing amongst admins.
Pass – Another great tool but with more of a Linux heritage, particularly powerful when combined with git for sharing and sync.
If you’re using a password manager, the scope of this compromise (and most other credential compromises) to you personally is far more contained than if you’re reusing the same credentials for multiple sites. The credentials harvested from here are almost certainly already being tried to grind against other services but having them work in only one place greatly reduces the blast radius of the problem.
GitHub is one of the most popular integrations with Docker Hub. It’s not possible to provide Docker Hub with only read access to a repo – it requires read write. Thus, if you’ve ever integrated Docker Hub with GitHub, you should thoroughly review the state of your GitHub repos with an eye towards any unexpected changes. Fortunately, git itself makes this relatively easy in most environments but it can be challenging in a large, busy organization. Unfortunately, Docker hasn’t shared any additional details on when the compromise is believed to have begun so there’s no practical way to time scope these reviews.
Our Twistlock Labs team is watching for any additional intelligence on specific accounts compromised or specific actions taken by attackers. If we get more details, we’ll provide more details on the potential scope of the problem and any other protective actions we’d recommend.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
How to Lock Down the Kernel to Secure the Container HostRead the Blog
One Chapter Ends, Another BeginsRead the Blog
The Greatest Security Risks Lurking in Your CI/CD PipelineRead the Blog
Cloud Platform Radar: Powerful Cloud Asset IdentificationRead the Blog
Securing Serverless Functions: Visibility with Serverless RadarRead the Blog