According to a
new report from
Sysdig, it costs $430,000 in
cloud bills for an attacker to generate $8,100 in cryptocurrency
revenue. The report confirms that cryptojacking remains the primary
motivation for opportunistic attackers, exploiting vulnerabilities and
weak system configurations. Using worldwide honeynets, the Sysdig Threat
Research Team (Sysdig TRT) took an extensive look at TeamTNT and
geopolitical activities over the past nine months. Sysdig was able to
draw conclusions on TeamTNT, the explosion of malicious payloads in
Docker Hub, and the rise in DDos attacks after the Russian/Ukraine war
began.
The
rapid shift to containers and cloud has driven an increase in
opportunities for attackers to steal data, take advantage of assets, and
gain illicit network access. It's clear that container images have
become a real attack vector, rather than a theoretical risk.
Key Findings
- Supply chain attacks on containers spawn cryptominers. Cryptomining
is the most common outcome of cloud- and container-based compromises.
Attackers are littering public repositories, like Docker Hub, with
dangerous container images that contain cryptominers, backdoors, and
many other unwelcome surprises, often disguised as legitimate popular
software. Thirty-six percent of malicious Docker Hub images contain
cryptominers. Embedded secrets is the second most prevalent, which
highlights the persistent challenges of secrets management.
- Attackers make $1 for every $53 a victim is billed. TeamTNT
is a notorious cloud‑targeting threat actor that generates the majority
of its criminal profits through cryptojacking. Sysdig TRT attributed
more than $8,100 worth of cryptocurrency to TeamTNT, which was mined on
stolen cloud infrastructure, costing the victims more than $430,000. The
full impact of TeamTNT and similar entities is unknowable, but at $1 of
profit for every $53 the victim is billed, the damage to cloud users is
extensive.
- DDoS attacks surge during conflict. The
conflict between Russia and Ukraine includes a cyberwarfare component
with government‑supported threat actors and civilian hacktivists taking
sides. The goals of disrupting IT infrastructure and utilities have led
to a four‑fold increase in DDoS attacks between 4Q21 and 1Q22.
- Cybercriminals take sides, enabled by civilian volunteers. Over
150,000 volunteers have joined anti‑Russian DDoS campaigns using
container images from Docker Hub. The threat actors hit anyone they
perceive as sympathizing with their opponent, and any unsecured
infrastructure is targeted for leverage in scaling the attacks.
What people are saying
"Security
teams can no longer delude themselves with the idea that ‘containers
are too new or too ephemeral for threat actors to bother,'" said Stefano
Chierici, Senior Security Researcher at Sysdig and Report Co-Author.
"Attackers are in the cloud, and they are taking real money. The high
prevalence of cryptojacking activity is attributable to the low risk and
high reward for the perpetrators."
"The
Ukrainian government globally crowdsourced their cyberwar efforts. This
was unprecedented, but it shows that digital transformation has
extended well beyond classic IT use cases," said Michael Clark, Director
of Threat Research and Report Co-Author. "Willing and unwilling
participants alike contributed their infrastructure to the DDoS
disruptions."