Evolving threats targeting cloud-native environments

Cloud-native environments are now becoming increasingly targeted by cybercriminals with new tactics, techniques, and procedures.
4 May 2022

Cloud-native environments are now becoming increasingly targeted by cybercriminals with new tactics, techniques, and procedures. This includes increased attacks on Docker and Kubernetes environments.

According to the 2022 Cloud-Native Threat Report: Tracking Software Supply Chain and Kubernetes Attacks and Techniques by Aqua Security, cybercriminals are adopting more sophisticated techniques, leveraging multiple attack components, and shifting attention to Kubernetes and the software supply chain.

The research team Nautilus discovered an increased usage of backdoors, rootkits, and credential stealers, signs that intruders have more than crypto mining in their plans. Backdoors, which permit a threat actor to access a system remotely and are used to establish persistence in the compromised environment, were encountered in 54% of attacks (up 9% compared with 2020).

Additionally, half of the malicious container images (51%) analyzed by researchers contained worms, which allow attackers to increase the scope of their attack with minimal effort (up 10% compared with 2020). For CI/CD and Kubernetes environments, 19% of the malicious container images analyzed targeted Kubernetes, including kubelets and API servers, up 9% compared to the previous year.

Assaf Morag, Threat Intelligence and Data Analyst Lead at Aqua’s Team Nautilus, said these findings underscore the reality that cloud-native environments now represent a target for attackers, and that the techniques are always evolving. He added that the broad attack surface of a Kubernetes cluster is attractive for threat actors, and then once they are in, they are looking for low-hanging fruit.

The report also showed that the proportion and variety of observed attacks targeting Kubernetes have increased, and this includes a wider adoption of the weaponization of Kubernetes UI tools. Also, supply chain attacks represent 14.3% of the particular sample of images from public image libraries, showing that these attacks continue to be an effective method of attacking cloud-native environments.

The researchers also observed honeypot attacks by TeamTNT after the group announced its retirement in December 2021. However, no new tactics have been in use, so it is unclear if the group is still in operation or if the ongoing attacks originated from automated attack infrastructure. Regardless, enterprise teams should continue preventative measures against these threats.

Aqua’s Team Nautilus made extensive use of honeypots to investigate attacks in the wild and to investigate supply chain attacks against cloud-native applications, the team examined images and packages from public registries and repositories, such as DockerHub, NPM, and Python Package Index.

Team Nautilus utilized Aqua’s Dynamic Threat Analysis (DTA) product to analyze each attack. Aqua DTA is the industry’s first container sandbox solution that dynamically assesses container image behaviors to determine whether they harbor hidden malware. This enables organizations to identify and mitigate attacks that static malware scanners cannot detect.

“The key takeaway from this report is that attackers are highly active — more than ever before — and more frequently targeting vulnerabilities in applications, open-source, and cloud technology. Security practitioners, developers, and DevOps teams must seek out security solutions that are purpose-built for cloud-native. Implementing proactive and preventative security measures will allow for stronger security and ultimately protect environments,” added Morag.

Meanwhile, Sitaram Iyer, Global Security Architect at Jetstack pointed out that as the popularity of Kubernetes has risen, so too has the severity and frequency of attacks on them, as cybercriminals have realized that Kubernetes can be vulnerable. For example, the cybercrime group TeamTNT has been a real exponent of this, having compromised more than 50,000 Kubernetes clusters over the last few years, spreading malware at will, and eventually launching a crypto miner.

“With the pace of innovation in cloud rocketing, so too is the number of machine identities in use for the deployed applications. Many of these applications will be spun up and down in a matter of seconds and are highly ephemeral. However, each application needs to be given an identity, which must be managed throughout its lifecycle,” explained Iyer. “Enterprises are struggling to issue and manage these identities at cloud speed and scale. The result is new security risks due to mismanagement of machine identities.”

Iyer believes that zero trust is vital to protecting organizations against attacks targeting Kubernetes. Its important businesses stop blindly trusting everything within their build environments and instead adopt a stance whereby every component of the build pipeline is proactively challenged.

Aqua’s Team Nautilus also recommends implementing runtime security measures, a layered approach to Kubernetes security, and scanning in development.