New report reveals evolving techniques targeting cloud-native environments

GUEST NOTE: Businesses are adopting cloud-native technologies faster than ever. With new technologies come new threats and new challenges. It is therefore not surprising that we are seeing an increasing number of cyber threats targeting cloud-native environments.

A recent report from Team Nautilus focuses on uncovering specific threats and attacks that target cloud native. The report summarizes observations and findings made throughout 2021, based on actual attacks in the wild and highlights the most recent threats facing practitioners in the cloud native threat landscape.

To investigate attacks in the wild, researchers used honeypots that lure attackers into conducting their activities in an environment controlled and monitored by researchers. This approach allows them to collect indicators of compromise including malicious files, malicious network communications, container evasion indications, malware, cryptomining activity, code injection, and backdoors.

To investigate supply chain attacks against cloud-native applications, the team reviewed images from public registries and repositories, such as NPM and Python Package Index. The observations were supplemented with data from Shodan, the search engine for internet-connected devices.





Main conclusions

An increase in sophistication. Attacks are becoming even more sophisticated, with threat actors’ tactics, techniques and procedures advancing rapidly. In 2021, backdoors were encountered in 54% of attacks, an increase of nine percentage points from 2020. The use of worms increased by 10 percentage points to 51% of attacks, up from 41% the previous year. The team also observed more sophisticated activity involving rootkits, fileless execution, and kernel module loading.

Switching to Kubernetes. Adversaries have shifted their focus from Docker to Kubernetes and the CI/CD pipeline. Hackers have expanded their targets to include CI/CD environments and vulnerable Kubernetes deployments and applications. The proportion and variety of observed attacks targeting Kubernetes have increased. Based on observed attacks, the number of malicious images likely to target Kubernetes environments increased by 10%, from 9% in 2020 to 19% in 2021.

The supply chain continues to be efficient. Supply chain attacks represent 14.3% of the sample of images from public image libraries (NB: this sample is not a statistically significant sample of all public image libraries). An analysis of over 1,100 container images uploaded to one of the world’s largest communities and image libraries over the past year found that 13% were linked to potentially unwanted applications, such as cryptominers , and 1.3% were related to malware.

The log4j zero-day vulnerability is immediately exploited in the wild. The popular logging library is estimated to be present in over 100 million instances worldwide. Once the honeypot was in place, some of the biggest botnets, including Muhstik and Mirai, started targeting it within minutes. The researchers detected several malicious techniques, including known malware, fileless executions, files downloaded and executed from memory, and reverse shell executions.

TeamTNT is not retiring. The most prolific threat actor targeting cloud-native environments, TeamTNT, announced its retirement in December 2021, but was still actively attacking honeypots a month later. However, new tactics were being used, making it unclear whether the ongoing attacks originated from an automated attack infrastructure that had remained in service or whether TeamTNT had faked their retirement. It looks like some of the command and control servers, a third-party registry, and a worm are still up and infecting new targets.

Defend against evolving threats

The report’s data shows that while attackers are becoming increasingly sophisticated, they are also looking for soft and broad targets, such as Kubernetes.

And while the following veteran cloud-native attackers (e.g., Team TNT) are slowing down, new attackers from the traditional security space are entering the cloud-native space.

We recommend proactive measures for practitioners:

Implement runtime security. The increased use of backdoors, worms, rootkits, and other sophisticated tactics clearly demonstrates that runtime security is a key component of any cloud-native security strategy. This is also the case as we see an increase in supply chain attacks that do not rely on vulnerabilities although they may introduce them – in which the attacker’s actual behavior may only manifest at run time. Log4j’s timeline, with attackers targeting honeypots within hours of a new exploit opportunity, also highlights the need for execution protection.

Use layered Kubernetes security. Kubernetes security is a large attack vector. Targeting Kubernetes-specific things, such as kubelets and API servers, and leveraging Kubernetes UI tools reinforce the need to secure Kubernetes environments at both the container and server level. the orchestrator. A layered approach is the only way to cover all your bases in case an attacker finds a way in.

Implement digitization in development. Vulnerabilities such as Log4j show us how critical analysis is in development, as well as how critical it is to invest in tools that allow practitioners to gain visibility across the entire cloud-native stack. .

Back To Top