Malicious Kong Ingress Controller Image Found on DockerHub
Kong Ingress Controller DockerHub Attack
As of January 14, 2025, a significant cybersecurity incident has been reported involving the Kong Ingress Controller.
Key Details
- An attacker gained access to Kong's DockerHub account and replaced the legitimate Kong Ingress Controller version 3.4.0 image with a malicious version. This breach allows the attacker to potentially compromise any system that uses the compromised Docker image1.
Implications
- The malicious image could be used for various malicious activities, including but not limited to, cryptojacking, data theft, or the deployment of backdoors and other malware.
- Users who have downloaded the Kong Ingress Controller image from DockerHub during the period when the malicious image was available are advised to inspect their systems for any signs of compromise and to update to a verified legitimate version of the image.
Malicious Docker Images and Cryptojacking
While the specific Kong Ingress Controller incident is focused on the replacement of a legitimate image with a malicious one, there are broader trends and recent incidents related to malicious Docker images and cryptojacking:
General Threats
- Malicious Docker images are a growing concern, as they can be used to deploy various types of malware, including cryptojacking software. Cryptojacking involves using compromised systems to mine cryptocurrency without the owner's knowledge or consent4.
Recent Incidents
- There have been several recent cases of malicious packages and images being discovered in various repositories. For example, a malicious npm package named
ethereumvulncontracthandlerwas found to deploy the Quasar RAT (Remote Access Trojan) onto developer systems. This highlights the vulnerability of software supply chains to malicious activities24.
Kong Security Vulnerability January 2025
The incident involving the Kong Ingress Controller is a specific example of a security vulnerability resulting from an account compromise rather than a vulnerability within the Kong software itself.
Mitigation
- To mitigate such risks, users should ensure they are downloading images from trusted sources and verify the integrity of the images before deployment. Regular security audits and monitoring of DockerHub accounts are also crucial.
- The US Cybersecurity and Infrastructure Security Agency (CISA) and other security agencies often provide guidelines and mandates for patching vulnerabilities and securing software supply chains, which can help prevent similar incidents3.
Additional Context
- The broader cybersecurity landscape in January 2025 includes various other threats such as cross-domain attacks, vulnerabilities in widely-used tools like Nuclei, and sanctions against entities involved in state-backed hacking campaigns. These highlight the ongoing need for robust cybersecurity measures and vigilance across all aspects of software development and deployment24.
In summary, the Kong Ingress Controller DockerHub attack is a serious incident that underscores the risks associated with software supply chain security and the importance of verifying the integrity of software images before use.
