Research suggests that container infrastructure can be exploited in less than one hour.
Aqua Security this week published new research from Team Nautilus revealing a continued rise in cyberattacks targeting container infrastructure and supply chains.
The report also shows that it can now take less than one hour to exploit vulnerable container infrastructure. The Cloud Native Threat Report: Attacks in the Wild on Container Infrastructure provides a detailed analysis of how bad actors are getting better at hiding their increasingly sophisticated attacks.
“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” said Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus.
Attack techniques are becoming “more sinister”
“At the same time, we’re also seeing that attacks are now demonstrating more sinister motives with greater potential impact. Although cryptocurrency mining is still the lowest hanging fruit and thus is more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft.”
Among the new attack techniques, Team Nautilus uncovered a campaign targeting the auto-build of SaaS dev environments.
“This has not been a common attack vector in the past, but that will likely change in 2021 because the deployment of detection, prevention, and security tools designed to protect the build process during CI/CD flow is still limited within most organizations,” added Morag.
The results of this report were contributed as input into MITRE’s creation of its new MITRE ATT&CK Container Framework. MITRE ATT&CK is used worldwide by cybersecurity practitioners to describe the taxonomy for both the offense and defense cyberattack kill chain, according to Aqua Security.
What the researchers found
The researchers found that attackers have amplified their use of evasion and obfuscation techniques in order to avoid detection. These include packing the payloads, running malware straight from memory, and using rootkits.
They also found that 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up. In addition, more than 90% of the malicious images execute resources hijacking.
Aqua found that 40% of attacks involved creating backdoors on the host. Adversaries appear to be dropping dedicated malware, creating new users with root privileges and creating SSH keys for remote access.
The report states that the sheer volume of attacks continues to grow. Daily attacks grew 26% on average between the first half and second half of 2020.