Container attacks on the rise

Aqua Security has published new research from Team Nautilus revealing a continued rise in cyberattacks targeting container infrastructure and supply chains, and showing that it can now take less than one hour to exploit vulnerable container infrastructure. The “Cloud Native Threat Report: Attacks in the Wild on Container Infrastructure” provides a detailed analysis of how bad actors are getting better at hiding their increasingly sophisticated attacks. 

“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” said Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus. “At the same time, we’re also seeing that attacks are now demonstrating more sinister motives with greater potential impact. Although cryptocurrency mining is still the lowest hanging fruit and thus is more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft.”  

Among the new attack techniques, Team Nautilus uncovered a massive campaign targeting the auto-build of SaaS dev environments.  

“This has not been a common attack vector in the past, but that will likely change in 2021 because the deployment of detection, prevention, and security tools designed to protect the build process during CI/CD flow is still limited within most organisations,” added Morag. 

The results of this report were contributed as input into MITRE’s creation of its new MITRE ATT&CK Container Framework. MITRE ATT&CK is used worldwide by cybersecurity practitioners to describe the taxonomy for both the offense and defence cyberattack kill chain. 

The Aqua report presents detailed analysis of the high-profile attacks that Team Nautilus uncovered. Key findings include: 

• Higher levels of sophistication in attacks: Attackers have amplified their use of evasion and obfuscation techniques in order to avoid detection. These include packing the payloads, running malware straight from memory, and using rootkits.

• Botnets are swiftly finding and infecting new hosts as they become vulnerable: 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.  

• Crypto-currency mining is still the most common objective: More than 90% of the malicious images execute resources hijacking.

• Increased use of backdoors: 40% of attacks involved creating backdoors on the host; adversaries are dropping dedicated malware, creating new users with root privileges and creating SSH keys for remote access.

• Volume of attacks continues to grow:Daily attacks grew 26% on average between the first half and second half of 2020. 

Team Nautilus utilised Aqua’s Dynamic Threat Analysis (DTA) product to analyse each attack. Aqua DTA is the industry’s only container sandbox solution that dynamically assesses container image behaviours to determine whether they harbour hidden malware. This enables organisations to identify and mitigate attacks that target cloud native environments well before deployment in production, which static malware scanners cannot detect.