Aqua Security report reveals evolving techniques targeting cloud native environments

Companies are adopting cloud native technologies faster than ever before. With new technology comes new threats and challenges, so it’s no surprise that we’re seeing an increasing number of cyber threats targeting cloud native environments.


A recent report from Aqua Security’s Team Nautilus focuses on uncovering the specific threats and attacks that target cloud native.  The report summarises observations and discoveries made throughout 2021, based on actual attacks in the wild and sheds light on the newest threats facing practitioners in the cloud native threat landscape.


Aqua Security’s CISO, Paul Calatayud, discloses that to investigate attacks in the wild, researchers utilised honeypots that lure attackers and trick them into conducting their activities in an environment that’s controlled and monitored by researchers.


This approach allows them to collect indicators of compromise, including malicious files, malicious network communication, indications of container escape, malware, cryptominer activity, code injection and backdoors.


To investigate supply-chain attacks against cloud native applications, the team examined images from public registries and repositories, such as NPM and Python Package Index. Observations were augmented with data from Shodan, the search engine for internet- connected devices.


Key findings


  1. An increase in sophistication. Attacks are becoming even more sophisticated, with threat actors’ tactics, techniques, and procedures advancing rapidly. In 2021, backdoors were encountered in 54% of attacks, an increase of 9 percentage points compared with in 2020. The usage of worms rose by 10 percentage points to 51% of attacks, compared with 41% the previous year. The team also observed more sophisticated activity involving rootkits, fileless execution, and loading kernel modules.


  1. A shift to Kubernetes. Adversaries shifted their attention from Docker to Kubernetes and the CI/CD pipeline. Threat actors broadened their targets to include CI/CD environments and vulnerable Kubernetes deployments and applications. The proportion and variety of observed attacks targeting Kubernetes increased. Based on the observed attacks, the number of malicious images with potential to target Kubernetes environments increased by 10 percentage points, from 9% in 2020 to a full 19% in 2021.


  1. Supply-chain continues to be effective. Supply-chain attacks represent 14.3% of the sample of images from public image libraries*.  An analysis of over 1,100 container images uploaded to one of the world’s largest image communities and libraries in the past year revealed that 13% were related to potentially unwanted applications, such as cryptominers, and 1.3% were related to malware.  *This sample is not a statistically significant sample size of all public image libraries.


  1. Log4j zero-day vulnerability immediately exploited in the wild. The popular logging library is estimated to be present in over 100 million instances globally. Once the honeypot was set up, some of the largest botnets—including Muhstik and Mirai—began targeting it within minutes. Researchers detected multiple malicious techniques, including known malware, fileless execution, files that were downloaded and executed from memory, and reverse shell executions.


  1. TeamTNT doesn’t retire. The most prolific threat actor targeting cloud native environments, TeamTNT, announced its retirement in December 2021 but was still actively attacking honeypots a month later. However, new tactics were in use making it unclear if the ongoing attacks originated from automated attack infrastructure that was left operating or if TeamTNT faked their retirement. It appears as if some of the command-and-control servers, a third-party registry, and a worm are still operational and infecting new targets.


Defending against evolving threats


Report data shows that although attackers are becoming more sophisticated, they’re equally on the search for easy, broad targets, such as Kubernetes.


And while the following veteran cloud native attackers (e.g., Team TNT) are slowing down their activity, new attackers from the traditional security space are entering the cloud native space.


We recommend proactive measures for practitioners:


  1. Implement runtime security: The increased use of backdoors, worms, rootkits and other sophisticated tactics clearly demonstrates that runtime security is a key component of any cloud native security strategy. This is equally the case as we
    see increases in supply-chain attacks that don’t rely on vulnerabilities although they can introduce them—in which the actual attacker behavior might manifest only in runtime. The timeline of Log4j, with attackers targeting honeypots within hours of a newly available exploit opportunity, also emphasises the need for runtime protection.


  1. Utilise layered Kubernetes security: Kubernetes security is a broad attack vector. The targeting of Kubernetes specific elements, such as kubelets and API servers, and the exploitation of Kubernetes UI tools reinforce the need to secure Kubernetes environments both at the container and orchestrator level. A layered approach is the only way to cover all your bases in the event that an attacker has found a way in.


  1. Implement scanning in development: Vulnerabilities like Log4j show us how critical scanning is in development, also how critical it is to invest in tooling that allows practitioners to gain visibility across the entire cloud native stack.