Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Fifty percent of new misconfigured Docker instances are attacked by botnets within 56 minutes of being set up, Aqua Security said in its 2020 Cloud-Native Report. Five hours, on average, is all it takes for an attacker to scan a new honeypot, the pure-play cloud native security company said.
The majority of attacks were focused on crypto mining, which may be perceived as “more of a nuisance than a severe threat,” Aqua Security noted. However, 40% of attacks also involved backdoors to gain access to the victim’s environment and networks. Backdoors were enabled by dropping dedicated malware or creating new users with root privileges and SSH keys for remote access. More than 36% of attacks involved worms to detect and infect new victims.
Adversaries keep searching for new ways to attack cloud native environments. They are not just looking for port 2375 (unencrypted Docker connections) and other ports related to cloud native services, Aqua Security noted in the research. There were campaigns targeting supply chains, the auto-build process of code repositories, registries, and CI service providers. There are also attacks through Docker Hub and GitHub where adversaries relied on typo-squatting — or misspellings of popular, public projects — to trick developers into pulling and running malicious container images or code packages.
Attackers are extending their arsenals with new and advanced techniques to avoid detection, such as leveraging privilege-escalation techniques to escape from within containers to the host machine.
The report analysis was conducted using Aqua Security’s Dynamic Threat Analysis (DTA) tool, which is powered by the open source project Tracee. The software enables users to perform runtime security and forensics in a Linux environment using eBPF (a Linux firewall framework). The attackers’ techniques were classified according to the MITRE ATT&CK framework to map the full, improved attacker arsenal all the way from Initial Access to Data Exfiltration, and everything in between.
Between June 2019 and December 2020, the team at Aqua observed that botnets are swiftly finding and infecting new hosts as they become vulnerable. The team observed 17,358 individual “honeypot” attacks with increased sophistication in terms of privilege escalation, hiding and persistence. The average number of attacks also rose -– from 12.6 per day in second half of 2019 to 77 per day in the first half of 2020. By the second half of 2020, the number average number of attacks was 97.3 per day.
Read Aqua Security’s full Cloud Native Threats report and detailed attack analysis.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.