It takes less than one hour to exploit vulnerable container infrastructure
Aqua Security published a research revealing a continued rise in cyberattacks targeting container infrastructure and supply chains, and showing that it can now take less than one hour to exploit vulnerable container infrastructure. The report provides a detailed analysis of how bad actors are getting better at hiding their increasingly sophisticated attacks.
“The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” said Assaf Morag, Lead Data Analyst with Aqua’s Team Nautilus.
“At the same time, we’re also seeing that attacks are now demonstrating more sinister motives with greater potential impact. Although cryptocurrency mining is still the lowest hanging fruit and thus is more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft.”
Among the new attack techniques, a massive campaign targeting the auto-build of SaaS dev environments was uncovered.
“This has not been a common attack vector in the past, but that will likely change in 2021 because the deployment of detection, prevention, and security tools designed to protect the build process during CI/CD flow is still limited within most organizations,” added Morag.
Vulnerable container infrastructure challenges
- Higher levels of sophistication in attacks: Attackers have amplified their use of evasion and obfuscation techniques in order to avoid detection. These include packing the payloads, running malware straight from memory, and using rootkits.
- Botnets are swiftly finding and infecting new hosts as they become vulnerable: 50% of new misconfigured Docker APIs are attacked by botnets within 56 minutes of being set up.
- Crypto-currency mining is still the most common objective: More than 90% of the malicious images execute resources hijacking.
- Increased use of backdoors: 40% of attacks involved creating backdoors on the host; adversaries are dropping dedicated malware, creating new users with root privileges and creating SSH keys for remote access.
- Volume of attacks continues to grow: Daily attacks grew 26% on average between the first half and second half of 2020.