Docker

Auto Added by WPeMatico

How to get your ads working, and whether PR is worth it

Julian Shapiro
Contributor

Julian Shapiro is the founder of BellCurve.com, a growth marketing agency that trains you to become a marketing professional. He also writes at Julian.com.

We’ve aggregated the world’s best growth marketers into one community. Twice a month, we ask them to share their most effective growth tactics, and we compile them into this Growth Report.

This is how you’re going stay up-to-date on growth marketing tactics — with advice you can’t get elsewhere.

Our community consists of 600 startup founders paired with VP’s of growth from later-stage companies. We have 300 YC founders plus senior marketers from companies including Medium, Docker, Invision, Intuit, Pinterest, Discord, Webflow, Lambda School, Perfect Keto, Typeform, Modern Fertility, Segment, Udemy, Puma, Cameo, and Ritual.

You can participate in our community by joining Demand Curve’s marketing webinars, Slack group, or marketing training programSee past growth reports here.

Without further ado, onto the advice.


How to get customer testimonials from hard-to-reach executives

Based on insights from Guillaume Cabane.

A customer testimonial from a well-known executive may be the social proof that improves conversion rates on your landing pages or in sales collateral. But executives of reputable companies are generally busy and difficult to reach.

Here’s how to get the testimonial:

  • Contract with a freelance journalist who’s written for a reputable publication like the New York Times.
  • Reach out to your executive customers with something like “Hey, we have a journalist who has previously written for NYT who’s interested in speaking to a few of our customers for a piece. Do you have 15 minutes for a quick call?”
  • For $200 in freelancer time, you get a testimonial you can use (in the words you want) from a reputable executive. Be sure to figure out some way to make it worth the executive’s time.

Powered by WPeMatico

How to work with top influencers and avoid ad blockers

Julian Shapiro
Contributor

Julian Shapiro is the founder of BellCurve.com, a growth marketing agency that trains you to become a marketing professional. He also writes at Julian.com.

We’ve aggregated the world’s best growth marketers into one community. Twice a month, we ask them to share their most effective growth tactics, and we compile them into this Growth Report.

This is how you’re going stay up-to-date on growth marketing tactics — with advice you can’t get elsewhere.

Our community consists of 600 startup founders paired with VP’s of growth from later-stage companies. We have 300 YC founders plus senior marketers from companies including Medium, Docker, Invision, Intuit, Pinterest, Discord, Webflow, Lambda School, Perfect Keto, Typeform, Modern Fertility, Segment, Udemy, Puma, Cameo, and Ritual.

You can participate in our community by joining Demand Curve’s marketing webinars, Slack group, or marketing training program.

Without further ado, onto the advice.

Editor’s note: This is the first of a new series of articles on startup growth tactics in 2019 for Extra Crunch. This first article has been unlocked for all TechCrunch readers.


Don’t abandon email unsubscribers. They’re still useful.

Based on insights from Matt Sornson of Clearbit.

You’ve launched a new feature and want to tell your audience about it. You can send an email to your newsletter subscribers, but how do you reach the 20%+ who unsubscribed? Most people mistakenly consider this audience to be a lost cause.

  • Create a custom audience of all newsletter unsubscribers on Facebook.
  • Run ads announcing the new feature to that audience.
  • Now you’ve reactivated people who at one point had an interest in your product — instead of forever ignoring them.

Tips for effectively working with influencers

Based on insights from Barron Caster of Rev.

  • Create a referral system for influencers: Influencers who sign up others get a % of their sales or signups. This makes a mini-pyramid structure and turns your influencers into a salesforce. Why is this important? Some influencers don’t actually sell products, but just sign up tons of other influencers. Find these people.
  • Get everything you can out of an engagement (e.g. permission to use them as a testimonial for emails, social proof, etc.).
  • Working with influencers is a relationship-building game:
    • Actually go to conferences to meet influencers.
    • Treat influencers like royalty. Surprise them with gifts like flowers/donuts. $100 to send a gift can pay hefty dividends if they like your brand more and share that with their followers.
    • Give influencers a tangible benefit to share with their followers. They care about their followers and want to beneficially incentivize them to click on their link and buy with them.

More tips for working with influencers

Based on insights from Cezar Grigore of Tremo Books.

  • Geo rollouts: Your ROI increases when a bunch of influencers in the same category / region share your product within an interval of 2-4 weeks. It gives the impression that everyone is talking about your product.
  • Initially focus on influencers with 10-150k audiences. They’re smaller and more willing to accept bartered deals. There are enough influencers in this range willing to work in exchange for a free product. Most may not be producing results, but some work well, bringing in 50-200 customers within 24 hours. As you build up your following and reputation for your brand, it becomes much easier to work with more influential people.
  • It’s harder to cut deals with bigger influencers (100k-2M). Only about 5-10% of bigger influencers are willing to work on an affiliate basis (e.g. $10/customer).

Overcoming ad blockers that screw up your conversion data

  • Ad blockers can block FB’s tracking libraries and underreport ad conversions (even by 50%). The trick? Consider using the static IMG FB pixel — not the JavaScript one — which ad blockers don’t appear to block. — C.
  • Here’s another ad block workaround: You can extract UTM tags from the URL then save them into LocalStorage using JavaScript. Next, send that stored data plus the user’s on-site conversion behavior to a custom backend that, inherently, will circumvent ad blockers. Just be diligent about ensuring your marketing links all have UTM tags. —Neal O’Grady of Demand Curve
  • Remember that the use of ad blockers varies heavily by audience and device type. Depending on who your audience is, ad blockers can either be a huge problem or a non-problem. —Neal O’Grady of Demand Curve
    • So, for example, few people on mobile have ad blockers. Not much of a problem there.
    • However, on desktop, up to ~75% of millennial gamers and techies may have it installed.
    • In contrast, on desktop, maybe only 25% of middle-aged Americans outside of tech hub cities may have it installed.
    • These are hand-wavy numbers. Google for specifics.

Powered by WPeMatico

Microsoft makes a push for service mesh interoperability

Services meshes. They are the hot new thing in the cloud native computing world. At KubeCon, the bi-annual festival of all things cloud native, Microsoft today announced that it is teaming up with a number of companies in this space to create a generic service mesh interface. This will make it easier for developers to adopt the concept without locking them into a specific technology.

In a world where the number of network endpoints continues to increase as developers launch new micro-services, containers and other systems at a rapid clip, they are making the network smarter again by handling encryption, traffic management and other functions so that the actual applications don’t have to worry about that. With a number of competing service mesh technologies, though, including the likes of Istio and Linkerd, developers currently have to choose which one of these to support.

“I’m really thrilled to see that we were able to pull together a pretty broad consortium of folks from across the industry to help us drive some interoperability in the service mesh space,” Gabe Monroy, Microsoft’s lead product manager for containers and the former CTO of Deis, told me. “This is obviously hot technology — and for good reasons. The cloud-native ecosystem is driving the need for smarter networks and smarter pipes and service mesh technology provides answers.”

The partners here include Buoyant, HashiCorp, Solo.io, Red Hat, AspenMesh, Weaveworks, Docker, Rancher, Pivotal, Kinvolk and VMware . That’s a pretty broad coalition, though it notably doesn’t include cloud heavyweights like Google, the company behind Istio, and AWS.

“In a rapidly evolving ecosystem, having a set of common standards is critical to preserving the best possible end-user experience,” said Idit Levine, founder and CEO of Solo.io. “This was the vision behind SuperGloo — to create an abstraction layer for consistency across different meshes, which led us to the release of Service Mesh Hub last week. We are excited to see service mesh adoption evolve into an industry-level initiative with the SMI specification.”

For the time being, the interoperability features focus on traffic policy, telemetry and traffic management. Monroy argues that these are the most pressing problems right now. He also stressed that this common interface still allows the different service mesh tools to innovate and that developers can always work directly with their APIs when needed. He also stressed that the Service Mesh Interface (SMI), as this new specification is called, does not provide any of its own implementations of these features. It only defines a common set of APIs.

Currently, the most well-known service mesh is probably Istio, which Google, IBM and Lyft launched about two years ago. SMI may just bring a bit more competition to this market since it will allow developers to bet on the overall idea of a service mesh instead of a specific implementation.

In addition to SMI, Microsoft also today announced a couple of other updates around its cloud-native and Kubernetes services. It announced the first alpha of the Helm 3 package manager, for example, as well as the 1.0 release of its Kubernetes extension for Visual Studio Code and the general availability of its AKS virtual nodes, using the open source Virtual Kubelet project.

Powered by WPeMatico

Steve Singh stepping down as Docker CEO

TechCrunch has learned that Docker CEO Steve Singh will be stepping down after two years at the helm, and former Hortonworks CEO Rob Bearden will be taking over. An email announcement went out this morning to Docker employees.

People close to the company confirmed that Singh will be leaving the CEO position, staying on the job for several months to help Bearden with the transition. He will then remain with the organization in his role as chairman of the board. They indicated that Bearden has been working closely with Singh over the last several months as a candidate to join the board and as a consultant to the executive team.

Singh clicked with him and viewed him as a possible successor, especially given his background with leadership positions at several open-source companies, including taking Hortonworks public before selling to Cloudera last year. Singh apparently saw someone who could take the company to the next level as he moved on. As one person put it, he was tired of working 75 hours a week, but he wanted to leave the company in the hands of a capable steward.

Last week in an interview at DockerCon, the company’s annual customer conference in San Francisco, Singh appeared tired, but a leader who was confident in his position and who saw a bright future for his company. He spoke openly about his leadership philosophy and his efforts to lift the company from the doldrums it was in when he took over two years prior, helping transform it from a mostly free open-source offering into a revenue-generating company with 750 paying enterprise customers.

In fact, he told me that under his leadership the company was on track to become free cash flow positive by the end of this fiscal year, a step he said would mean that Docker would no longer need to seek outside capital. He even talked of the company eventually going public.

Apparently, he felt it was time to pass the torch before the company took those steps, saw a suitable successor in Bearden and offered him the position. While it might have made more sense to announce this at DockerCon with the spotlight focused on the company, it was not a done deal yet by the time the conference was underway in San Francisco, people close to the company explained.

Docker took a $92 million investment last year, which some saw as a sign of continuing struggles for the company, but Singh said he took the money to continue to invest in building revenue-generating enterprise products, some of which were announced at DockerCon last week. He indicated that the company would likely not require any additional investment moving forward.

As for Bearden, he is an experienced executive with a history of successful exits. In addition to his experience at Hortonworks, he was COO at SpringSource, a developer tool suite that was sold to VMware for $420 million in 2009 (and is now part of Pivotal). He was also COO at JBoss, an open-source middleware company acquired by Red Hat in 2006.

Whether he will do the same with Docker remains to be seen, but as the new CEO, it will be up to him to guide the company moving forward to the next steps in its evolution, whether that eventually results in a sale or the IPO that Singh alluded to.

Email to staff from Steve Singh:

Note: Docker has now confirmed this story in a press release.

Powered by WPeMatico

Docker developers can now build Arm containers on their desktops

Docker and Arm today announced a major new partnership that will see the two companies collaborate in bringing improved support for the Arm platform to Docker’s tools.

The main idea here is to make it easy for Docker developers to build their applications for the Arm platform right from their x86 desktops and then deploy them to the cloud (including the Arm-based AWS EC2 A1 instances), edge and IoT devices. Developers will be able to build their containers for Arm just like they do today, without the need for any cross-compilation.

This new capability, which will work for applications written in JavaScript/Node.js, Python, Java, C++, Ruby, .NET core, Go, Rust and PHP, will become available as a tech preview next week, when Docker hosts its annual North American developer conference in San Francisco.

Typically, developers would have to build the containers they want to run on the Arm platform on an Arm-based server. With this system, which is the first result of this new partnership, Docker essentially emulates an Arm chip on the PC for building these images.

“Overnight, the 2 million Docker developers that are out there can use the Docker commands they already know and become Arm developers,” Docker EVP of Strategic Alliances David Messina told me. “Docker, just like we’ve done many times over, has simplified and streamlined processes and made them simpler and accessible to developers. And in this case, we’re making x86 developers on their laptops Arm developers overnight.”

Given that cloud-based Arm servers like Amazon’s A1 instances are often significantly cheaper than x86 machines, users can achieve some immediate cost benefits by using this new system and running their containers on Arm.

For Docker, this partnership opens up new opportunities, especially in areas where Arm chips are already strong, including edge and IoT scenarios. Arm, similarly, is interested in strengthening its developer ecosystem by making it easier to develop for its platform. The easier it is to build apps for the platform, the more likely developers are to then run them on servers that feature chips from Arm’s partners.

“Arm’s perspective on the infrastructure really spans all the way from the endpoint, all the way through the edge to the cloud data center, because we are one of the few companies that have a presence all the way through that entire path,” Mohamed Awad, Arm’s VP of Marketing, Infrastructure Line of Business, said. “It’s that perspective that drove us to make sure that we engage Docker in a meaningful way and have a meaningful relationship with them. We are seeing compute and the infrastructure sort of transforming itself right now from the old model of centralized compute, general purpose architecture, to a more distributed and more heterogeneous compute system.”

Developers, however, Awad rightly noted, don’t want to have to deal with this complexity, yet they also increasingly need to ensure that their applications run on a wide variety of platforms and that they can move them around as needed. “For us, this is about enabling developers and freeing them from lock-in on any particular area and allowing them to choose the right compute for the right job that is the most efficient for them,” Awad said.

Messina noted that the promise of Docker has long been to remove the dependence of applications from the infrastructure on which they run. Adding Arm support simply extends this promise to an additional platform. He also stressed that the work on this was driven by the company’s enterprise customers. These are the users who have already set up their systems for cloud-native development with Docker’s tools — at least for their x86 development. Those customers are now looking at developing for their edge devices, too, and that often means developing for Arm-based devices.

Awad and Messina both stressed that developers really don’t have to learn anything new to make this work. All of the usual Docker commands will just work.

Powered by WPeMatico

Airbnb, Automattic and Pinterest top rank of most acquisitive unicorns

Jason Rowley
Contributor

Jason Rowley is a venture capital and technology reporter for Crunchbase News.

It takes a lot more than a good idea and the right timing to build a billion-dollar company. Talent, focus, operational effectiveness and a healthy dose of luck are all components of a successful tech startup. Many of the most successful (or, at least, highest-valued) tech unicorns today didn’t get there alone.

Mergers and acquisitions (M&A) can be a major growth vector for rapidly scaling, highly valued technology companies. It’s a topic that we’ve covered off and on since the very first post on Crunchbase News in March 2017. Nearly two years later, we wanted to revisit that first post because things move quickly, and there is a new crop of companies in the unicorn spotlight these days. Which ones are the most active in the M&A market these days?

The most acquisitive U.S. unicorns today

Before displaying the U.S. unicorns with the most acquisitions to date, we first have to answer the question, “What is a unicorn?” The term is generally applied to venture-backed technology companies that have earned a valuation of $1 billion or more. Crunchbase tracks these companies in its Unicorns hub. The original definition of the term, first applied in a VC setting by Aileen Lee of Cowboy Ventures back in late 2011, specifies that unicorns were founded in or after 2003, following the first tech bubble. That’s the working definition we’ll be using here.

In the chart below, we display the number of known acquisitions made by U.S.-based unicorns that haven’t gone public or gotten acquired (yet). Keep in mind this is based on a snapshot of Crunchbase data, so the numbers and ranking may have changed by the time you read this. To maintain legibility and a reasonable size, we cut off the chart at companies that made seven or more acquisitions.

As one would expect, these rankings are somewhat different from the one we did two years ago. Several companies counted back in early March 2017 have since graduated to public markets or have been acquired.

Who’s gone?

Dropbox, which had acquired 23 companies at the time of our last analysis, went public weeks later and has since acquired two more companies (HelloSign for $230 million in late January 2019 and Verst for an undisclosed sum in November 2017) since doing so. SurveyMonkey, which went public in September 2018, made six known acquisitions before making its exit via IPO.

Who stayed?

Which companies are still in the top ranks? Travel accommodations marketplace giant Airbnb jumped from number four to claim Dropbox’s vacancy as the most acquisitive private U.S. unicorn in the market. Airbnb made six more acquisitions since March 2017, most recently Danish event space and meeting venue marketplace Gaest.com. The still-pending deal was announced in January 2019.

WordPress developer and hosting company Automattic is still ranked number two. Automattic  href=”https://www.crunchbase.com/acquisition/automattic-acquires-atavist–912abccd”>acquired one more company — digital publication platform Atavist — since we last profiled unicorn M&A. Open-source software containerization company Docker, photo-sharing and search site Pinterest, enterprise social media management company Sprinklr and venture-backed media company Vox Media remain, as well.

Who’s new?

There are some notable newcomers in these rankings. We’ll focus on the most notable three: The We CompanyCoinbase and Lyft. (Honorable mention goes to Stripe and Unity Technologies, which are also new to this list.)

The We Company (the holding entity for WeWork) has made 10 acquisitions over the past two years. Earlier this month, The We Company bought Euclid, a company that analyzes physical space utilization and tracks visitors using Wi-Fi fingerprinting. Other buyouts include Meetup (a story broken by Crunchbase News in November 2017) reportedly for $200 million. Also in late 2017, The We Company acquired coding and design training program Flatiron School, giving the company a permanent tenant in some of its commercial spaces.

In its bid to solidify its position as the dominant consumer cryptocurrency player, Coinbase has been on quite the M&A tear lately. The company recently announced its plans to acquire Neutrino, a blockchain analytics and intelligence platform company based in Italy. As we covered, Coinbase likely made the deal to improve its compliance efforts. In January, Coinbase acquired data analysis company Blockspring, also for an undisclosed sum. The crypto company’s other most notable deal to date was its April 2018 buyout of the bitcoin mining hardware turned cryptocurrency micro-transaction platform Earn.com, which Coinbase acquired for $120 million.

And finally, there’s Lyft, the more exclusively U.S.-focused ride-hailing and transportation service company. Lyft has made 10 known acquisitions since it was founded in 2012. Its latest M&A deal was urban bike service Motivate, which Lyft acquired in June 2018. Lyft’s principal rival, Uber, has acquired six companies at the time of writing. Uber bought a bike company of its own, JUMP Bikes, at a price of $200 million, a couple of months prior to Lyft’s Motivate purchase. Here too, the Lyft-Uber rivalry manifests in structural sameness. Fierce competition drove Uber and Lyft to raise money in lock-step with one another, and drove M&A strategy as well.

What to take away

With long-term business success, it’s often a chicken-and-egg question. Is a company successful because of the startups it bought along the way? Or did it buy companies because it was successful and had an opening to expand? Oftentimes, it’s a little of both.

The unicorn companies that dominate the private funding landscape today (if not in the number of deals, then in dollar volume for sure) continue to raise money in the name of growth. Growth can come the old-fashioned way, by establishing a market position and expanding it. Or, in the name of rapid scaling and ostensibly maximizing investor returns, M&A provides a lateral route into new markets or a way to further entrench the status quo. We’ll see how that strategy pays off when these companies eventually find the exit door .

Powered by WPeMatico

Microsoft and Docker team up to make packaging and running cloud-native applications easier

Microsoft and Docker today announced a new joint open-source project, the Cloud Native Application Bundle (CNAB), that aims to make the lifecycle management of cloud-native applications easier. At its core, the CNAB is nothing but a specification that allows developers to declare how an application should be packaged and run. With this, developers can define their resources and then deploy the application to anything from their local workstation to public clouds.

The specification was born inside Microsoft, but as the team talked to Docker, it turns out that the engineers there were working on a similar project. The two decided to combine forces and launch the result as a single open-source project. “About a year ago, we realized we’re both working on the same thing,” Microsoft’s Gabe Monroy told me. “We decided to combine forces and bring it together as an industry standard.”

As part of this, Microsoft is launching its own reference implementation of a CNAB client today. Duffle, as it’s called, allows users to perform all the usual lifecycle steps (install, upgrade, uninstall), create new CNAB bundles and sign them cryptographically. Docker is working on integrating CNAB into its own tools, too.

Microsoft also today launched Visual Studio extension for building and hosting these bundles, as well as an example implementation of a bundle repository server and an Electron installer that lets you install a bundle with the help of a GUI.

Now it’s worth noting that we’re talking about a specification and reference implementations here. There is obviously a huge ecosystem of lifecycle management tools on the market today that all have their own strengths and weaknesses. “We’re not going to be able to unify that tooling,” said Monroy. “I don’t think that’s a feasible goal. But what we can do is we can unify the model around it, specifically the lifecycle management experience as well as the packaging and distribution experience. That’s effectively what Docker has been able to do with the single-workload case.”

Over time, Microsoft and Docker would like for the specification to end up in a vendor-neutral foundation. Which one remains to be seen, though the Open Container Initiative seems like the natural home for a project like this.

Powered by WPeMatico

Docker inks partnership with MuleSoft as Salesforce takes a strategic stake

Docker and MuleSoft have announced a broad deal to sell products together and integrate their platforms. As part of it, Docker is getting an investment from Salesforce, the CRM giant that acquired MuleSoft for $6.5 billion last spring.

Salesforce is not disclosing the size of the stake it’s taking in Docker, but it is strategic: it will see its new MuleSoft working with Docker to connect containerized applications to multiple data sources across an organization. Putting the two companies together, you can connect these containerized applications to multiple data sources in a modern way, even with legacy applications.

The partnership is happening on multiple levels and includes technical integration to help customers more easily use the two toolsets together. It also includes a sales agreement to invite each company’s sales team when it makes sense, and to work with systems integrators and ISVs, who help companies put these kind of complex solutions to work inside large organizations.

Docker chief product officer Scott Johnston said it was really about bringing together two companies whose missions were aligned with what they were hearing from customers. That involves tapping into some broad trends around getting more out of their legacy applications and a growing desire to take an API-driven approach to developer productivity, while getting additional value out of their existing data sources. “Both companies have been working separately on these challenges for the last several years, and it just made sense as we listen to the market and listen to customers that we joined forces,” Johnston told TechCrunch.

Uri Sarid, MuleSoft’s CTO, agrees that customers have been using both products and it called for a more formal arrangement. “We have joint customers and the partnership will be fortifying that. So that’s a great motion, but we believe in acceleration. And so if there are things that we can do, and we now have plans for what we will do to make that even faster, to make that even more natural and built-in, we can accelerate the motion to this. Before, you had to think about these two concerns separately, and we are working on interoperability that makes you not have to think about them separately,” he explained.

This announcement comes at a time of massive consolidation in the enterprise. In the last couple of weeks, we have seen IBM buying Red Hat for $34 billion, SAP acquiring Qualtrics for $8 billion and Vista Equity Partners scooping up Apptio for $1.94 billion. Salesforce acquired MuleSoft earlier this year in its own mega deal in an effort to bridge the gap between data in the cloud and on-prem.

The final piece of today’s announcement is that investment from Salesforce Ventures. Johnston would not say how much the investment was for, but did say it was about aligning the two partners.

Docker had raised almost $273 million before today’s announcement. It’s possible it could be looking for a way to exit, and with the trend toward enterprise consolidation, Salesforce’s investment may be a way to test the waters for just that. If it seems like an odd match, remember that Salesforce bought Heroku in 2010 for $212 million.

Powered by WPeMatico

Anaxi brings more visibility to the development process

Anaxi‘s mission is to bring more transparency to the software development process. The tool, which is now live for iOS, with web and Android versions planned for the near future, connects to GitHub to give you actionable insights about the state of your projects and manage your projects and issues. Support for Atlassian’s Jira is also in the works.

The new company was founded by former Apple engineering manager and Docker EVP of product development Marc Verstaen and former CodinGame CEO John Lafleur. Unsurprisingly, this new tool is all about fixing the issues these two have seen in their daily lives as developers.

“I’ve been doing software for 40 years,” Verstaen told me.” And every time is the same. You start with a small team and it’s fine. Then you grow and you don’t know what’s going on. It’s a black box.” While the rest of the business world now focuses on data and analytics, software development never quite reached that point. Verstaen argues that this was acceptable until 10 or 15 years ago because only software companies were doing software. But now that every company is becoming a software company, that’s not acceptable anymore.

Using Anaxi, you can easily see all issue reports and pull requests from your GitHub repositories, both public and private. But you also get visual status indicators that tell you when a project has too many blockers, for example, as well as the ability to define your own labels. You also can define due dates for issues.

One interesting aspect of Anaxi is that it doesn’t store all of this information on your phone or on a proprietary server. Instead, it only caches as little information as necessary (including your handles) and then pulls the rest of the information from GitHub as needed. That cache is encrypted on the phone, but for the most part, Anaxi simply relies on the GitHub API to pull in data when needed. There’s a bit of a trade-off here in terms of speed, but Verstaen noted that this also means you always get the most recent data and that GitHub’s API is quite fast and easy to work with.

The service is currently available for free. The company plans to introduce pricing plans in the future, with prices based on the number of developers that use the product inside a company.

Powered by WPeMatico

Tainted, crypto-mining containers pulled from Docker Hub

Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.

“Of course, we can safely assume that these had not been deployed manually. In fact, the attack seems to be fully automated. Attackers have most probably developed a script to find misconfigured Docker and Kubernetes installations. Docker works as a client/server architecture, meaning the service can be fully managed remotely via the REST API,” wrote researcher David Maciejak.

The containers are now gone, but the hackers may have gotten away with up to $90,000 in cryptocurrency, a small but significant amount for such a hack.

“Today’s growing number of publicly accessible misconfigured orchestration platforms like Kubernetes allows hackers to create a fully automated tool that forces these platforms to mine Monero,” said a writer of a report by Kromtech. “By pushing malicious images to a Docker Hub registry and pulling it from the victim’s system, hackers were able to mine 544.74 Monero, which is equal to $90,000.”

“As with public repositories like GitHub, Docker Hub is there for the service of the community. When dealing with open public repositories and open source code, we recommend that you follow a few best practices including: know the content author, scan images before running and use curated official images in Docker Hub and certified content in Docker Store whenever possible,” wrote Docker’s head of security David Lawrence in a Threatpost report.

Interestingly, of late hackers have moved from attacking AWS Elastic Compute servers on Amazon’s platform to Docker and other container-based systems. While there are security systems available to manage Docker and Kubernetes containers, users should remain vigilant and assess their vulnerabilities before hackers get more of an upper hand.

Powered by WPeMatico