Virtualization Technology News and Information
Supply Chain Risk for the 2020s: Cloud and DevOps Under the Microscope
Digital supply chains are a fact of life for the modern business. Whether it's an e-commerce platform to power your website or cloud IaaS to run servers, storage and other key parts of the IT infrastructure - most organisations couldn't function without them. But supply chains also introduce extra cyber risk: just look at the damage Magecart data skimming attackers have inflicted on thousands of businesses through third-party JavaScript libraries.

The world of cloud and DevOps is particularly exposed to supply chain risk. It's more fluid, more open and more collaborative than legacy ways of working. This will demand a new approach to security focused around gaining visibility and control without impacting developer productivity and CI/CD pipelines.

Digital drives risk

Digital transformation is an industry set to be worth more than $462 billion by 2024. Why? Because organisations across the globe are looking to drive productivity, streamline processes and meet fast-changing customer demands with agility and innovation. In practice, this means major investments in multiple hybrid clouds, containers, microservices, infrastructure-as-code and more. The problems begin with the fact that, in many cases, organisations lack the in-house skills to manage these new levels of abstraction securely.

They are compounded by human error and malicious activity. In our 2020 predictions report, we warned organisations that their reliance on cloud providers will increasingly encourage cyber-criminals to target data stored in accounts. They'll use code injection attacks exploiting deserialisation bugs, cross-site scripting and SQL injection, as well as simpler techniques capitalising on misconfigurations of cloud accounts that expose sensitive data.

Then there's DevOps. Third-party code in container components and libraries is an increasingly popular way to accelerate time-to-market, but if left unchecked, it could introduce serious security risk into products and services. One report claimed last year that UK firms on average downloaded 21,000 software components known to be vulnerable over the previous 12 months. DevOps tools and platforms themselves are another tempting target. In short, there are many moving parts to this new environment that help to create a large attack surface for cyber-criminals to take aim at.

Attacks in action 

Unfortunately, over the past year alone we've seen multiple vulnerabilities, misconfigurations and real world cyber-attacks on these environments.

In June, Trend Micro detected hackers scanning for exposed Docker APIs and attempting to deliver the AESDDoS Linux malware to remotely compromise servers and hardware resources. The culprit was API misconfiguration in the open source version of the popular Docker Engine - Community tool.

In October, more malicious activity was discovered, this time taking advantage of poorly secured Docker hosts. Those that lacked suitable authentication were targeted by the "Graboid" worm, designed to covertly mine for Monero cryptocurrency before spreading to the next target. The cyber-criminals behind this operation managed to infect 2,000 unprotected Docker hosts in this way.

Also last year, researchers detected multiple vulnerabilities in DevOps tools and platforms, such as CVE-2019-11246, a high-severity bug in container orchestration system Kubernetes. A successful attacker could exploit the flaw to achieve directory traversal, using a malicious container to create or replace files on a targeted machine.

The same month, we found an issue in the Jenkins automation servers popular among DevOps teams, allowing users with less privilege to gain administrator rights, potentially setting up remote code execution attacks on the server. We've also seen multiple bugs in Jenkins plugins which could enable theft of user credentials.

What to do

What does this all mean for security leaders? They need to focus on a range of measures: from conducting rigorous due diligence of cloud providers and other third parties, to automated scanning for malware and vulnerabilities in images, at build and in runtime. These scans should, of course, extend to any third-party code used by the organisation. Container security can be furthered bolstered by tightening access controls along least privilege lines.

When it comes to configuration errors, Cloud Security Posture Management (CSPM) can improve compliance and governance through enhanced visibility and control. There are also best practice guidelines produced by providers like Docker which are always worth building into developer processes.

The bottom line is that this is just the beginning of a new kind of threat to supply chains. There's no chance of putting the digital genie back in the bottle, so instead organisations must focus on securely managing the risk.


To learn more about containerized infrastructure and cloud native technologies, consider coming to KubeCon + CloudNativeCon EU, March 30-April 2 in Amsterdam. 

About the Author

Bharat Mistry, Principal Security Strategist, Trend Micro

Bharat Mistry 

Drawing upon his experience in all areas of security, Bharat works with CISOs providing industry subject matter expertise in the development of Information Security strategies linking in depth security defenses to the business requirements. Bharat focuses on major global clients in the Manufacturing, Oil & Gas, Financial Services, Telecommunications and Retail markets.

Published Wednesday, March 04, 2020 7:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2020>