Aqua Security’s research lab “Team Nautilus”, recently released their Cloud Native Threat Report which provided some interesting trends when it comes to how attackers are targeting containers and their respective infrastructure. The most interesting and arguably most scary statistic from this report is regarding the “time to target” data which came from Team Nautilus' honeypot observations. While it is no surprise that where there is an attack surface, there will be attackers actively probing for vulnerabilities, Team Nautilus observed that for every container they deployed, half were discovered and enumerated within 56 minutes, with the other half being discovered within 5 hours.
Let’s dive in.
Hackers who are targeting container based infrastructure have a few tools on their toolbelt to discover and enumerate targets. Attackers have been found to be using open source intelligence tools such as Shodan, Censys and believe it or not Google to passively discover attack surfaces they want to target. From an active reconnaissance perspective, tools like Masscan are likely a contributing factor for the worryingly short time window between deployment and discovery. Arguably, this data point from the report should generally not come as a surprise as these techniques have been common for decades with the slight increase in open source intelligence tools and Masscan's performance capabilities.
Attackers are Targeting the Container Supply Chain
As discussed in previous posts, attackers are leveraging the supply chain of containerization to compromise organizations. This indirect attack path allows attackers not only to exploit the inherent trust of the supply chain but also enables them to gain victims at a more exponential rate compared to direct targeting means.
The inherent trust in container supply chain tools such DockerHub are a major problem. Assessing the 4 million images on Dockerhub found that 51% of them contained vulnerabilities! Additionally, the researchers found that 6500 docker images were deemed purposefully malicious with the intent to steal credentials, exfiltrate data, and/or install backdoors. There were several instances of malicious container images utilizing the typo squatting technique to trick victims into downloading a malicious container instead of the legitimate one. In the report the research team provided the example of the look-a-like DockerHub registry “Tesnorflow”, which could easily be mistaken for the legitimate registry for the machine learning platform “Tensorflow”.
Also Targeting Vulnerable Container Environments
In a previous Lunch’n’Learn I have coducted, I discussed how attackers are targeting DevOps toolchains and one of the major lessons to be gained from that talk was that fact that Docker and Kubernetes are not deployed secure by default and require formidable planning and configuration to be “secure”. This report echoed those concerns and identified public exposure, misconfigurations or insecure APIs as the leading cause of container infrastructure compromise.
As mentioned above, there are a plethora of tools on the Internet enabling quick and easy identification of vulnerable infrastructure which is resulting in compromise.
Team Nautilus determined that over 90% of the attacks against containers and container supply chains are focused on quick-win/smash and grab crimes of cryptomining. These types of attacks are considered nuisances, because it just increases a companies Cloud costs, but should not be considered benign. This is because Team Nautilus speculates that attackers are looking for some quick-wins while they further explore victims infrastructure and determine if they can install back doors, escape the container, target the victims Cloud infrastructure or install a worm to automate propagation to other victims.
Finally, while most attacks seemed automated and unsophisticated, the report did identify some threat actors which were using sophisticated techniques to avoid detection and maintain persistence. Team Nautilus provided examples where attackers were able to escape the container, escalate privileges within the container infrastructure and then use sophisticated means to custom construct malware and cryptominers through binary obfuscation and in-memory execution to evade common malware and cryptomining detection capabilities.
Want to learn more? Here is a link to the full report: https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf