Containers, new prey for cybercriminals

Specialized in security solutions for cloud, virtualized and containerized environments, Aqua Security analyzed data relating to 17,521 cyberattacks identified in the 2nd half of 2020, up 26% compared to the previous half. Compiled in its latest Cloud Native Threat Report, they shed light on the evolution of techniques used by cybercriminals. “They continue to look for other ways to attack cloud-native environments,” says Aqua Security. “We have identified massive attacks targeting supply chains, self-build code repository processes, registries, and continuous integration service providers which were not common vectors in the past.” Behind these campaigns, several objectives stand out: trapping these environments for cryptomining purposes (41%) or installing a backdoor (36%) to access a victim’s network and IS.

Offensives targeting containerized environments can be carried out via images with obfuscation capability or malicious commands. In the second half of 2020, a compromise vector was observed aimed at corrupting the image directly on a target host. “Attackers used a Docker SDK for Python package to send commands to a misconfigured Docker API. The attack sequence started by sending GET requests to explore the Docker server and POST requests to build and run a corrupted image on a target host,” says AquaSecurity. In the second half of 2020, 3.78 images per day were used for compromise purposes compared to 2.75 a year earlier, showing that attackers are diversifying their approach techniques. At the same time, the number of direct attacks has increased significantly, exceeding an average of 97 against barely 13 in the second half of 2020.

Undetected malicious IP addresses

“All of the IP addresses used in the attacks were linked to cloud services and hosting providers. Our honeypots recorded inbound traffic from Russia (17.3%) and the United States (15.9%). Surprisingly, only 13.43% of IP addresses are marked as malicious in blocklists. This means that network detection and prevention systems that rely on popular blocklists will generally be ineffective in detecting and preventing such communications,” the report also read. On average, attackers take 5 hours to scan a honeypot, but a few minutes for the fastest and up to 24 hours for the slowest. The median discovery time is about an hour.

As part of its report, AquaSecurity established the specifics of cyberattacks targeting containers based on the commonly used MITER ATT&CK framework in cybersecurity. With the key to several findings such as the fact that hackers continue to use worms to detect and infect vulnerable hosts, to download malicious files during the execution of containers in order to trap websites with corrupted code. They can also carry out attacks mainly exploiting a misconfigured Docker API port exposed on the web and allowing access to web traffic via incoming calls. “Above the usual attack vector against misconfigured APIs, we also saw build files on a host written in base64,” AquaSecurity continues.