Aqua’s Team Nautilus has uncovered a container image that, for the first time, allows bad actors to find and exploit vulnerabilities in Kubernetes clusters. The attackers propagate this malware through a Docker Hub lookalike account intended to dupe developers into downloading malicious images. To the best of our …
A new vulnerability was found in containerd, located in the container image-pulling process. The new CVE includes manipulation of the image manifest, allowing attackers to craft an image that can leak the host’s registry or cloud credentials when pulled from a registry. This leak occurs even before the image is …
Over the past few weeks, TeamTNT grabbed headlines after launching several novel attacks against cloud native infrastructure. In response, Docker Hub decided to remove TeamTNT’s malicious images from its community and deleted the user 'Hildeteamtnt.' But just a few days later, TeamTNT reemerged with a catchy logo …
September 11, 2020
Threat Alert: Massive Cryptomining Campaign Abusing GitHub, Docker Hub, Travis CI & Circle CI
Aqua’s Team Nautilus detected an impressive campaign that set out to hijack resources to enable cryptocurrency mining. This operation focused on several SaaS software development environments, including Docker Hub, GitHub, Travis CI, and Circle CI, by abusing their automated build processes.
This blog was co-authored with Assaf Morag, Lead Security Analyst at Aqua Security
Ever notice how news about hidden malware almost always focuses on remediation AFTER the fact? So did we. Even now, there’s yet another news story about a rash of attacks by a group called TeamTNT. They used a crypto-mining worm to …
We have some exciting news about two new features in Tracee, Aqua’s open source container and system tracing utility. Now, Tracee is much more than just a system call tracer, it’s a powerful tool that can be used to perform forensic investigations and dynamic analysis of binaries – both are incredibly useful when …
We at Team Nautilus - Aqua’s cyber security research team - discovered a new type of attack against container infrastructure. The attacker exploits a misconfigured Docker API port in order to build and run a malicious container image on the host. As far as we know, this is the first time that an attack in which the …
Following an attack against a misconfigured Docker API port, the research team at Aqua Security performed an in-depth examination of the Docker Hub account from which the image was pulled. The examination was done by dynamically scanning for hidden threats in the container images hosted in that specific Docker Hub …
Two high-severity CVEs in the SaltStack platform were published last week by researchers at F-Secure. These vulnerabilities can enable remote code execution (RCE), which lets attackers remotely execute commands on the Salt leader node. This results in a full compromise of the host and can expose sensitive …
Lately we’ve been witnessing a rise in the number of attacks that target container environments. We’ve been tracking an organized attack campaign that targets misconfigured open Docker Daemon API ports. This persistent campaign has been going on for months, with thousands of attempts taking place nearly on a daily …
February 19, 2020
Threat Alert: Attack Vector Uses Containers to Methodically Target Cloud Resources
The Aqua Research team has identified a new attack vector that points to an evolution in attacks’ techniques and capabilities. In these attacks, the attackers leverage containers as an entry point to discover and spread to other resources used within cloud accounts. The attackers deployed a clean Ubuntu container, …