Research finds that adversaries could detect a new misconfigured container within an average of five hours
Attacks against the container infrastructure are continuing to increase in both frequency and sophistication. It takes just a few hours to detect a new vulnerable container using internet scanning tools like Masscan. The attacks are becoming more evasive, while the supply chain is now targeted.
Aqua Security’s Team Nautilus has analyzed 17,358 attacks against its honeypots between June 2019 and December 2020. It found that adversaries could detect a new misconfigured container within an average of five hours – the fastest within a few minutes and the longest at 24 hours. In 50% of cases, the new container was detected in less than one hour. The implication is clear: if a new container is set up today with a view to securing it tomorrow, it will be too late. The likelihood is that the container will already be compromised.
Some adversaries continue to use public search engines like Shodan and Censys to find misconfigurations, but others use scanning tools such as masscan (developed by Errata Security’s Robert Graham and able to scan the entire internet in just 6 minutes, producing results similar to nmap). Once a host has been compromised, the adversary will likely use worms to detect and infect new hosts, increasing the frequency of scanning and the likelihood of detecting new misconfigurations.
Aqua’s Cloud Native Threat Report (PDF) includes an example of the function Dockergeddon, containing Masscan and Zgrab. It can scan entire netblocks and detect compromised Docker APIs, collect information on the host and deploy a malicious container.
More than 90% of the attacks are designed to hijack resources for cryptomining. Most of these are related to the Kinsing malware campaign, which downloads a cryptominer. Cryptomining is often seen as more of an inconvenience than a threat, but Aqua warns that more than 40% of the attacks also involve backdoors.
“The likely explanation,” say the researchers, “is that attackers are looking to maximize their gain from each attack, using crypto-mining as the potential short-term gain. But their longer-term goal is gaining a backdoor to the environment and achieving additional access to the victims’ environments and networks.”
The frequency of attacks has grown sharply over the last year – from an average of 12.6 per day in H2 2019 to 77 per day in H1 2020, and 97.3 in H2 2020. The honeypots reported that the greatest number of attacks came from Russia (17.3%), with the U.S. not far behind at 15.9%. Only 13.4% of the detected source IPs are marked as malicious in block lists.
With this growth in volume has come an increase in sophistication, especially in terms of evasion techniques. “Adversaries are using more and more techniques designed to detect and remove security software,” note the researchers. Packers, such as UPX and ezuri are also used to evade signature detection.
Until recently, most attacks would use a dedicated malicious image that could potentially be detected by anti-malware security, or a benign image running malicious scripts at the entry point, which would need a dynamic scanner able to detect files written to disk during runtime.
Now, however, fileless attacks are increasing. The malware is loaded into memory and executed from there, leaving no trace on the disk. “The threat landscape has morphed as malicious adversaries extend their arsenals with new and advanced techniques to avoid detection,” comments Assaf Morag, lead data analyst with Aqua’s Team Nautilus. “At the same time, we’re also seeing that attacks are now demonstrating more sinister motives with greater potential impact. Although cryptocurrency mining is still the lowest hanging fruit and thus is more targeted, we have seen more attacks that involve delivery of malware, establishing of backdoors, and data and credentials theft.”
The attackers are also using privilege escalation to escape from the container to the host. In such cases they might leave backdoors on the host by dropping dedicated malware, or by creating new users with root privileges and SSH keys for remote access. This can lead to the collection and exfiltration of credentials and sensitive data from the host.
One of the more disturbing developments detected by Aqua Security is the discovery of a massive campaign targeting the auto-build process of code repositories, registries, and CI service providers. “This has not been a common attack vector in the past,” added Morag, “but that will likely change in 2021 because the deployment of detection, prevention, and security tools designed to protect the build process during CI/CD flow is still limited within most organizations.” The researchers describe it as the ‘soft belly’ of the container infrastructure.”
They warn that, “Hiding an attack during a CI build can succeed in most organizations’ CI environments. This attack targets supply-chain processes and could be modified to target other hidden supply chain components, processes, or even the build artifacts themselves, which can pose a severe threat.”
The biggest takeaways from the research are that the volume of attacks is increasing (implying that organized and well-funded teams are behind them); and that these teams are adapting and updating their techniques at a faster rate – creating a more rapid cat-and-mouse game for container defenders.
Related: Aqua Security Achieves Unicorn Status After $135 Million Funding Round
Related: Despite Warnings, Cloud Misconfiguration Problem Remains Disturbing
Related: ATT&CK v9 Introduces Containers, Google Workspace
Related: IT Teams Question Security of App Containers: Survey
