Aqua Security
published new research from Team Nautilus revealing a continued rise
in cyberattacks targeting container infrastructure and supply
chains, and showing that it can now take less
than one hour to exploit vulnerable container infrastructure.
The "Cloud
Native Threat Report: Attacks in the Wild on Container Infrastructure" provides a detailed analysis of how bad actors are
getting better at hiding their increasingly sophisticated attacks.
"The
threat landscape has morphed as malicious adversaries extend their arsenals
with new and advanced techniques to avoid detection," said Assaf
Morag, Lead Data Analyst with Aqua's Team Nautilus. "At the same
time, we're also seeing that attacks are now demonstrating more sinister
motives with greater potential
impact. Although cryptocurrency mining
is still the lowest hanging fruit and thus is more
targeted, we have seen more attacks that
involve delivery of malware, establishing of backdoors, and
data and credentials theft."
Among
the new attack techniques, Team Nautilus uncovered a massive campaign
targeting the auto-build of SaaS dev environments.
"This
has not been a common attack vector in the past, but that will likely change in
2021 because the deployment of detection, prevention, and security tools
designed to protect the build process during CI/CD flow is still limited within
most organizations," added Morag.
The
results of this report were contributed as input into MITRE's
creation of its new MITRE ATT&CK Container Framework. MITRE ATT&CK is used worldwide by cybersecurity
practitioners to describe the taxonomy for both the offense and defense
cyberattack kill chain.
The
Aqua report presents detailed analysis of the high-profile
attacks that Team Nautilus uncovered. Key findings include:
- Higher levels of sophistication in attacks: Attackers have amplified their
use of evasion and obfuscation techniques in order to avoid
detection. These include packing the payloads, running malware straight
from memory, and using rootkits.
- Botnets are swiftly finding and infecting new hosts as
they become vulnerable: 50% of
new misconfigured Docker APIs are attacked
by botnets within 56 minutes of being set up.
- Crypto-currency mining is still the most common objective: More than90% of the malicious images
execute resources hijacking.
- Increased use of backdoors: 40% of attacks
involved creating backdoors on the host; adversaries are
dropping dedicated malware,creating new users with root privileges and
creating SSH keys for remote access.
- Volume of attacks continues to grow: Daily attacks grew 26% on average between the first
half and second half of 2020.
Team
Nautilus utilized Aqua's Dynamic Threat Analysis (DTA)
product to analyze each
attack. Aqua DTA is the industry's only container sandbox
solution that dynamically assesses container image behaviors to determine
whether they harbor hidden malware. This enables organizations
to identify and mitigate attacks that target cloud native
environments well before deployment in production, which static
malware scanners cannot detect.
Aqua
Security's 2021 "Cloud
Native Threat Report: Attacks in the Wild on Container Infrastructure" is available now.