Aqua Blog

The Great Escape: A Blast Radius Analysis of Container Attacks

The Great Escape: A Blast Radius Analysis of Container Attacks

In 2021, container attacks have been on the rise. We observed numerous attacks that were designed to escape container environments to the underlying host, increasing the impact of the attack. But how much damage can be caused when an attacker manages to escape a container? To answer this question, we conducted an analysis of real-world container attacks to determine their blast radius.

We identified 105 hosts in the wild that were victims of malicious container images and analyzed the blast radius or rather, the total potential impact, of the attacks. Our analysis showed that 36% of the victim hosts had multiple severe vulnerabilities and misconfigurations that could potentially lead to severe damage. In addition, 70% of the hosts had mild potential for credential theft and lateral movement.

Several weeks later, these 105 victim hosts were analyzed once again and it was found that 50% had completely corrected all vulnerabilities and misconfigurations, 12% fixed some but not all the misconfigurations and vulnerabilities, and 25% didn’t change anything. Thus, we’ve concluded that most security practitioners can detect vulnerabilities and misconfigurations, but they either fail to do so in a timely manner, or they fail to fix the issue quickly.

Escaping the container to the world beyond

The Blast Radius Analysis of Container Attacks report outlines the resources that were potentially vulnerable after the attacker gained access to the environment:

  • Remote services
    Threat actors try to obtain SSH (Secure Shell) keys to gain access to sensitive services and move laterally to additional hosts.
  • Cloud metadata
    Some attacks attempt to collect cloud metadata, which can then be used to obtain keys or secrets that help them gain access to other accounts or environments.
  • HTTP
    If a service is using unencrypted HTTP, an attacker may intercept and analyze communications to look for credentials or other information that may increase their reach inside the host system.
  • Databases
    Database services are susceptible to direct attacks, such as a brute force attack. Some databases are installed by default without credentials, which leaves them open to attackers who may gain access to the data by running them on the host.

How large can a blast radius be? A case study

As we discovered in a case study of one victim, there are further resources on the host that may be exploited by an attacker:

An unprotected website

When a website doesn’t properly encrypt communications by using HTTP instead of HTTPS, it can undermine other protections. If the attackers have access to the host, they can record all communications and intercept sensitive data, such as passwords, personally identifiable information (PII), and more.

Installed databases

Databases are often targeted by attackers. This host was running both MySQL and Redis databases. If the attackers have access to the host, they can search for passwords and secrets or brute force their way to gain access to these databases. As some databases don’t require authentication by default, the attackers will be able to easily collect the data.

Installed big data technologies

Apache ZooKeeper is an open source centralized service for maintaining distributed services usually related to big data technologies. This host was running version 3.4.9, which has a critical vulnerability. In our example, we saw a huge cluster with more than 200 nodes, which means it likely contains critical data. By exploiting this vulnerability, the attackers can access any valuable data in the Apache ZooKeeper service.

Keeping attacks contained

Throughout the analysis we learned several lessons about reducing the impact of container attacks, including a surprising recommendation against a fairly common security practice. To find out the key lessons learned and the recommended course of action to protect your own environment, get our Blast Radius Analysis of Container Attacks report.

Assaf Morag
Assaf is the Director of Threat Intelligence at Aqua Nautilus, where is responsible of acquiring threat intelligence related to software development life cycle in cloud native environments, supporting the team's data needs, and helping Aqua and the broader industry remain at the forefront of emerging threats and protective methodologies. His research has been featured in leading information security publications and journals worldwide, and he has presented at leading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE ATT&CK Container Framework.

Assaf recently completed recording a course for O’Reilly, focusing on cyber threat intelligence in cloud-native environments. The course covers both theoretical concepts and practical applications, providing valuable insights into the unique challenges and strategies associated with securing cloud-native infrastructures.