Aqua’s Top Five Threat Alerts for 2020
It has certainly been a rough year and just as life constantly evolves, so do cyber threats. So, here are a few blogs by our cyber security research group, Team Nautilus, that got the most attention from cloud native security professionals. These blogs highlight how attackers continue to get more creative over time, as we cover container image exploitation, fileless malware, Kinsing malware, sophisticated evasion techniques, and much more.
The emerging trend is clear: we’re seeing more attacks targeting the cloud native supply chain and infrastructure – highlighting the importance of adding Dynamic Threat Analysis and CSPM to your security arsenal – as these attacks are becoming increasingly sophisticated and organized. We expect that to intensify in 2021, so watch this space and subscribe to our blog (using the box on the right).
Without further ado, here are Aqua’s top five threat alerts:
We discovered a new type of attack against container infrastructure. It exploits a misconfigured Docker API port to build and run a malicious container image on the host. This was the first time we observed this attack in the wild.
TeamTNT used a crypto-mining worm to steal AWS credentials from Docker Hub. Our investigation determined that dynamic analysis could have saved security teams a lot of time and aggravation if these threats were detected and images removed from Docker Hub before being deployed.
We’ve seen a rise in the number of attacks that target container environments. One such attack targets misconfigured open Docker Daemon API ports. This persistent campaign went on for months, with attacks directed by actors with more than enough resources and infrastructure to carry out and sustain them.
We uncovered a container image that, for the first time, allows bad actors to find and exploit vulnerabilities in Kubernetes clusters. Attackers propagate this malware through a Docker Hub lookalike account intended to dupe developers into downloading malicious images.
Our cyber research team detected a new type of attack that executes and runs malware straight from memory in containers to evade common defenses and static scanning. This malware uses a rootkit to hide its running processes, then hijacks resources by executing a crypto miner from memory. This exposes a backdoor for attackers to do more damage.
You can find these, and all the other threat analysis on the Team Nautilus research page.
Happy New Year
As we head into the new year, you can expect to see more helpful information coming from us. We’ll be covering not only threat alerts, but all things related to cloud native security.