Retrospective on container threat research so far this year

Palo Alto Networks

By Taylor Smith, Sr. Product Marketer for Prisma Cloud at Palo Alto Networks

Every year we see increased attacks and new, advanced techniques for threat actors to target valuable application resources and data. This year has been no exception. As COVID hit, the world went digital and migrated to the cloud at an accelerated rate. During this time, threat actors also increased their attacks on cloud native architectures, and new container technologies were no exception.

If there was a theme for the past six months, it would be new and sophisticated ways to inject cryptomining into containers and cloud hosts. For example, when left exposed, cryptomining was the most common attack type on a Docker honeypot. Cryptocurrency prices for Monero and Ethereum skyrocketed over 345% and 1,000%, respectively. This growth in prices maintains stealing infrastructure resources to mine cryptocurrencies as a profitable business, even as defenses against cryptomining have improved.

New and old attacks vectors used

How threat actors get in these environments has evolved to become more sophisticated with new targets. This year we saw the first ever Windows container attack called Siloscape. This malware targets Kubernetes-based Windows container deployments by exploiting known vulnerabilities and escaping the container to the host node, where it spreads to other parts of the cluster.

We also found new Denial of Service (DoS) vulnerabilities in CRI-O and Podman. With the deprecation of the Docker daemon as the default runtime for Kubernetes, we expect to see more attacks targeting other container runtimes leveraging vulnerabilities like this.

Those were the sophisticated attacks but the fact is that many cloud environments still include a lack of basic hygiene like encrypting traffic at rest and in motion and pulling from unvetted public registries. We saw a rise in unencrypted databases, which is low hanging fruit for bad actors. Additionally, exposed secrets were the most commonly exposed Kubernetes resource.

When keys are available, bad actors like TeamTNT, the most prolific attack group we observed, can easily scrape credentials, enumerate cloud environments, and mine cryptocurrencies or perform other nefarious activities. Additionally, Unit 42 found 30 container images containing malware in Docker Hub that had been downloaded over 20 million times. Just because it's open source and public, does not mean it is vetted and secure.

No rest for the defenders

These last six months have shown how new technologies like containers that speed up development processes can be exploited if not properly secured. Threat actors didn't slow down and we don't expect the rest of the year to be any different. Check out more research findings in Palo Alto Networks' upcoming talks at BlackHat, and visit our booth to find out more.

Sustaining Partners