In 2021, container attacks have been on the rise. We observed numerous attacks that were designed to escape container environments to the underlying host, increasing the impact of the attack. But how much damage can be caused when an attacker manages to escape a container? To answer this question, we conducted an analysis of real-world container attacks to determine their blast radius.
We identified 105 hosts in the wild that were victims of malicious container images and analyzed the blast radius or rather, the total potential impact, of the attacks. Our analysis showed that 36% of the victim hosts had multiple severe vulnerabilities and misconfigurations that could potentially lead to severe damage. In addition, 70% of the hosts had mild potential for credential theft and lateral movement.
Several weeks later, these 105 victim hosts were analyzed once again and it was found that 50% had completely corrected all vulnerabilities and misconfigurations, 12% fixed some but not all the misconfigurations and vulnerabilities, and 25% didn’t change anything. Thus, we’ve concluded that most security practitioners can detect vulnerabilities and misconfigurations, but they either fail to do so in a timely manner, or they fail to fix the issue quickly.
Escaping the container to the world beyond
The Blast Radius Analysis of Container Attacks report outlines the resources that were potentially vulnerable after the attacker gained access to the environment:
- Remote services
Threat actors try to obtain SSH (Secure Shell) keys to gain access to sensitive services and move laterally to additional hosts. - Cloud metadata
Some attacks attempt to collect cloud metadata, which can then be used to obtain keys or secrets that help them gain access to other accounts or environments. - HTTP
If a service is using unencrypted HTTP, an attacker may intercept and analyze communications to look for credentials or other information that may increase their reach inside the host system. - Databases
Database services are susceptible to direct attacks, such as a brute force attack. Some databases are installed by default without credentials, which leaves them open to attackers who may gain access to the data by running them on the host.
How large can a blast radius be? A case study
As we discovered in a case study of one victim, there are further resources on the host that may be exploited by an attacker:
An unprotected website
When a website doesn’t properly encrypt communications by using HTTP instead of HTTPS, it can undermine other protections. If the attackers have access to the host, they can record all communications and intercept sensitive data, such as passwords, personally identifiable information (PII), and more.
Installed databases
Databases are often targeted by attackers. This host was running both MySQL and Redis databases. If the attackers have access to the host, they can search for passwords and secrets or brute force their way to gain access to these databases. As some databases don’t require authentication by default, the attackers will be able to easily collect the data.
Installed big data technologies
Apache ZooKeeper is an open source centralized service for maintaining distributed services usually related to big data technologies. This host was running version 3.4.9, which has a critical vulnerability. In our example, we saw a huge cluster with more than 200 nodes, which means it likely contains critical data. By exploiting this vulnerability, the attackers can access any valuable data in the Apache ZooKeeper service.
Keeping attacks contained
Throughout the analysis we learned several lessons about reducing the impact of container attacks, including a surprising recommendation against a fairly common security practice. To find out the key lessons learned and the recommended course of action to protect your own environment, get our Blast Radius Analysis of Container Attacks report.